FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-020
SNAP Cluster, ALN 10.551 and 10.561, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - System and Organization Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS should improve its monitoring of the operating effectiveness of general controls, such as security, for the third-party organizations that provide various electronic benefits transfer (EBT) services. We noted:
a. MDHHS did not document the date it received all 5 System and Organization Controls (SOC) reports* from the EBT service provider to support MDHHS reviewed the reports in a timely manner. Also, for 4 of these SOC reports received, the same person completed and approved the evaluation of the reports.
b. MDHHS did not obtain a bridge letter in appropriate circumstances for the 1 applicable subservice organization SOC report. In this instance, the bridge letter obtained covered a period of 13 months, for which 9 months occurred during our audit period.
c. MDHHS had not reviewed or evaluated 1 of 2 SOC reports of the subservice organization that provides information systems services, such as hosting services and managing infrastructure services and operations, to the State's EBT service provider.
Criteria
Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.1(i)(2) requires states to obtain a SOC report by an independent auditor of the state EBT service provider regarding the issuance, redemption, and settlement of benefits under SNAP, and the SOC report must cover the entire period since the previous examination. The SOC report must follow EBT guidance as indicated in various federal regulations and Appendix VIII of the OMB Compliance Supplement to the extent the guidelines relate to SNAP benefits.
The State of Michigan Financial Management Guide (FMG) (Part VII, Chapter 1, Section 1000) prescribes guidelines for departments to assess and manage risks associated with third-party relationships. Departments need to understand and/or evaluate risks and the controls each service organization designs, implements, and operates for the assigned operational process and how the service organization's internal control system impacts the department's internal control system. The FMG requires management to complete the review within 30 days of receiving the SOC report. Also, the FMG indicates the departments should consider and document conclusions regarding whether the sub-servicers controls are relevant to the department's control environment and document in their evaluation of the SOC report how these were resolved.
Also, FMG (Part VII, Chapter 2, Section 200) requires the department to divide or segregate duties among different people or implement alternative or compensating controls to mitigate the risk associated with a single user having the ability to perform conflicting duties.
In addition, the State Budget Office's Office of Internal Audit Services SOC report review guidance states that if the report covers a period of less than 6 months, it provides minimal assurance that the controls are in place and that if the gap period is greater than 90 days, the State agency should evaluate if a bridge letter is sufficient or if additional procedures are needed.
Cause
MDHHSʹs internal control was not sufficient to ensure it documented its review of all components of the SOC reports.
Effect
MDHHS cannot ensure general controls of vendor-hosted systems are sufficient to ensure the security of the issuance, redemption, and settlement of EBT benefits. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS improve its monitoring of the operating effectiveness of general controls for the third-party organizations that provide various EBT services.
Management Views
MDHHS agrees with the finding.
FINDING 2023-021
SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Reconciliations
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS is responsible for determining eligibility for SNAP benefits. The State's EBT provider then provides the SNAP recipient with a debit card which can be used for food purchases at authorized retailer stores. The State's EBT contractor is responsible for paying retailers that have accepted EBT cards for qualified purchases. The EBT contractor then receives funds from the State, via wire transfer, as reimbursement for the retail purchases. MDHHS is responsible for reconciling the payments made to retailers by its EBT contractor with the amounts drawn from its EBT account with the U.S. Department of the Treasury.
Condition
MDHHS did not complete daily reconciliations of payments made to retailers by its EBT contractor with the client information recorded in its system and the reports used to make the federal draw. MDHHS developed the Benefit Issuer Food Stamp Report to summarize the total detailed daily client SNAP activity reported by its EBT contractor; however, because of inaccuracies, MDHHS did not use the report in its reconciliation process.
Criteria
Federal regulation 7 CFR 274.1(i)(1) requires state agencies to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies and to report any violations to the federal government.
Also, federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day and to verify retailer credit against the deposit information entered in the Automated Clearing House.
Cause
MDHHS informed us that EBT reconciliations between Bridges, Bridges data warehouse, and the vendor are conducted on a monthly basis using daily data because of the timing of benefit authorization, availability of vendor data, and usage of benefits.
Effect
Without proper reconciliation procedures in place, MDHHS could not ensure daily SNAP payment amounts recorded in its system were accurate. We consider this to be a material weakness and material noncompliance because of the amount of SNAP benefits issued through the EBT process and because this required daily reconciliation was not in place in fiscal year 2023. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS complete daily reconciliations of payments made to retailers by its EBT contractor with client information recorded in its system and the reports used to make the federal draw.
Management Views
MDHHS disagrees that a material weakness and material noncompliance exist. MDHHS federal reporting conducts a daily reconciliation of federal draws and authorizations to retailers based on vendor EBT reports. In addition, MDHHS conducts a monthly reconciliation between Bridges, Bridges data warehouse, and vendor EBT reports using daily data to ensure the client information in Bridges and Bridges data warehouse is accurate. The monthly reconciliation process does not impact the federal draw because the daily reconciliation of the vendor EBT report is used for this purpose. MDHHS provided detailed and accurate descriptions of MDHHS daily and monthly EBT reconciliations to the designated federal awarding agency contacts at the United States Department of Agriculture Food and Nutrition Service Agency that are familiar with MDHHS processes and received confirmation that the current reconciliation processes in place are sufficient to comply with federal regulations.
Auditor's Comments to Management Views
MDHHS acknowledges it does not perform daily reconciliations of payments made to retailers by its EBT contractor to Bridges data although federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day. Also, MDHHS did not sufficiently communicate its EBT process to its regional federal contact person. The daily EBT "reconciliation" noted above does not include Bridges data, but instead uses the EBT contractor report to confirm the accuracy of the federal account balance. Therefore, the regional federal contact person did not have all necessary information to assess if MDHHS's process complied with the federal regulation. In addition, MDHHS did not obtain an opinion from a federal person with the authority to issue an opinion on behalf of the United States Department of Agriculture ensuring consistent interpretation of federal regulations.
Federal regulations 2 CFR 200.516(a)(1) and 2 CFR 200.516(a)(2) state it is the auditor's determination of whether a deficiency in internal control is a significant deficiency or a material weakness and whether a noncompliance with federal statutes, regulations, or the terms and conditions of a federal award is material for the purpose of reporting an audit finding. MDHHS incurred SNAP (ALN 10.551) expenditures of $3.7 billion during fiscal year 2023, with daily draws averaging over $20 million; therefore, the lack of a daily reconciliation increases the risk MDHHS may not detect differences between the State records and the EBT contractor's reports prior to drawing down federal funds.
The finding stands as written.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-020
SNAP Cluster, ALN 10.551 and 10.561, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - System and Organization Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS should improve its monitoring of the operating effectiveness of general controls, such as security, for the third-party organizations that provide various electronic benefits transfer (EBT) services. We noted:
a. MDHHS did not document the date it received all 5 System and Organization Controls (SOC) reports* from the EBT service provider to support MDHHS reviewed the reports in a timely manner. Also, for 4 of these SOC reports received, the same person completed and approved the evaluation of the reports.
b. MDHHS did not obtain a bridge letter in appropriate circumstances for the 1 applicable subservice organization SOC report. In this instance, the bridge letter obtained covered a period of 13 months, for which 9 months occurred during our audit period.
c. MDHHS had not reviewed or evaluated 1 of 2 SOC reports of the subservice organization that provides information systems services, such as hosting services and managing infrastructure services and operations, to the State's EBT service provider.
Criteria
Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.1(i)(2) requires states to obtain a SOC report by an independent auditor of the state EBT service provider regarding the issuance, redemption, and settlement of benefits under SNAP, and the SOC report must cover the entire period since the previous examination. The SOC report must follow EBT guidance as indicated in various federal regulations and Appendix VIII of the OMB Compliance Supplement to the extent the guidelines relate to SNAP benefits.
The State of Michigan Financial Management Guide (FMG) (Part VII, Chapter 1, Section 1000) prescribes guidelines for departments to assess and manage risks associated with third-party relationships. Departments need to understand and/or evaluate risks and the controls each service organization designs, implements, and operates for the assigned operational process and how the service organization's internal control system impacts the department's internal control system. The FMG requires management to complete the review within 30 days of receiving the SOC report. Also, the FMG indicates the departments should consider and document conclusions regarding whether the sub-servicers controls are relevant to the department's control environment and document in their evaluation of the SOC report how these were resolved.
Also, FMG (Part VII, Chapter 2, Section 200) requires the department to divide or segregate duties among different people or implement alternative or compensating controls to mitigate the risk associated with a single user having the ability to perform conflicting duties.
In addition, the State Budget Office's Office of Internal Audit Services SOC report review guidance states that if the report covers a period of less than 6 months, it provides minimal assurance that the controls are in place and that if the gap period is greater than 90 days, the State agency should evaluate if a bridge letter is sufficient or if additional procedures are needed.
Cause
MDHHSʹs internal control was not sufficient to ensure it documented its review of all components of the SOC reports.
Effect
MDHHS cannot ensure general controls of vendor-hosted systems are sufficient to ensure the security of the issuance, redemption, and settlement of EBT benefits. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS improve its monitoring of the operating effectiveness of general controls for the third-party organizations that provide various EBT services.
Management Views
MDHHS agrees with the finding.
FINDING 2023-021
SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Reconciliations
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS is responsible for determining eligibility for SNAP benefits. The State's EBT provider then provides the SNAP recipient with a debit card which can be used for food purchases at authorized retailer stores. The State's EBT contractor is responsible for paying retailers that have accepted EBT cards for qualified purchases. The EBT contractor then receives funds from the State, via wire transfer, as reimbursement for the retail purchases. MDHHS is responsible for reconciling the payments made to retailers by its EBT contractor with the amounts drawn from its EBT account with the U.S. Department of the Treasury.
Condition
MDHHS did not complete daily reconciliations of payments made to retailers by its EBT contractor with the client information recorded in its system and the reports used to make the federal draw. MDHHS developed the Benefit Issuer Food Stamp Report to summarize the total detailed daily client SNAP activity reported by its EBT contractor; however, because of inaccuracies, MDHHS did not use the report in its reconciliation process.
Criteria
Federal regulation 7 CFR 274.1(i)(1) requires state agencies to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies and to report any violations to the federal government.
Also, federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day and to verify retailer credit against the deposit information entered in the Automated Clearing House.
Cause
MDHHS informed us that EBT reconciliations between Bridges, Bridges data warehouse, and the vendor are conducted on a monthly basis using daily data because of the timing of benefit authorization, availability of vendor data, and usage of benefits.
Effect
Without proper reconciliation procedures in place, MDHHS could not ensure daily SNAP payment amounts recorded in its system were accurate. We consider this to be a material weakness and material noncompliance because of the amount of SNAP benefits issued through the EBT process and because this required daily reconciliation was not in place in fiscal year 2023. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS complete daily reconciliations of payments made to retailers by its EBT contractor with client information recorded in its system and the reports used to make the federal draw.
Management Views
MDHHS disagrees that a material weakness and material noncompliance exist. MDHHS federal reporting conducts a daily reconciliation of federal draws and authorizations to retailers based on vendor EBT reports. In addition, MDHHS conducts a monthly reconciliation between Bridges, Bridges data warehouse, and vendor EBT reports using daily data to ensure the client information in Bridges and Bridges data warehouse is accurate. The monthly reconciliation process does not impact the federal draw because the daily reconciliation of the vendor EBT report is used for this purpose. MDHHS provided detailed and accurate descriptions of MDHHS daily and monthly EBT reconciliations to the designated federal awarding agency contacts at the United States Department of Agriculture Food and Nutrition Service Agency that are familiar with MDHHS processes and received confirmation that the current reconciliation processes in place are sufficient to comply with federal regulations.
Auditor's Comments to Management Views
MDHHS acknowledges it does not perform daily reconciliations of payments made to retailers by its EBT contractor to Bridges data although federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day. Also, MDHHS did not sufficiently communicate its EBT process to its regional federal contact person. The daily EBT "reconciliation" noted above does not include Bridges data, but instead uses the EBT contractor report to confirm the accuracy of the federal account balance. Therefore, the regional federal contact person did not have all necessary information to assess if MDHHS's process complied with the federal regulation. In addition, MDHHS did not obtain an opinion from a federal person with the authority to issue an opinion on behalf of the United States Department of Agriculture ensuring consistent interpretation of federal regulations.
Federal regulations 2 CFR 200.516(a)(1) and 2 CFR 200.516(a)(2) state it is the auditor's determination of whether a deficiency in internal control is a significant deficiency or a material weakness and whether a noncompliance with federal statutes, regulations, or the terms and conditions of a federal award is material for the purpose of reporting an audit finding. MDHHS incurred SNAP (ALN 10.551) expenditures of $3.7 billion during fiscal year 2023, with daily draws averaging over $20 million; therefore, the lack of a daily reconciliation increases the risk MDHHS may not detect differences between the State records and the EBT contractor's reports prior to drawing down federal funds.
The finding stands as written.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-020
SNAP Cluster, ALN 10.551 and 10.561, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - System and Organization Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS should improve its monitoring of the operating effectiveness of general controls, such as security, for the third-party organizations that provide various electronic benefits transfer (EBT) services. We noted:
a. MDHHS did not document the date it received all 5 System and Organization Controls (SOC) reports* from the EBT service provider to support MDHHS reviewed the reports in a timely manner. Also, for 4 of these SOC reports received, the same person completed and approved the evaluation of the reports.
b. MDHHS did not obtain a bridge letter in appropriate circumstances for the 1 applicable subservice organization SOC report. In this instance, the bridge letter obtained covered a period of 13 months, for which 9 months occurred during our audit period.
c. MDHHS had not reviewed or evaluated 1 of 2 SOC reports of the subservice organization that provides information systems services, such as hosting services and managing infrastructure services and operations, to the State's EBT service provider.
Criteria
Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.1(i)(2) requires states to obtain a SOC report by an independent auditor of the state EBT service provider regarding the issuance, redemption, and settlement of benefits under SNAP, and the SOC report must cover the entire period since the previous examination. The SOC report must follow EBT guidance as indicated in various federal regulations and Appendix VIII of the OMB Compliance Supplement to the extent the guidelines relate to SNAP benefits.
The State of Michigan Financial Management Guide (FMG) (Part VII, Chapter 1, Section 1000) prescribes guidelines for departments to assess and manage risks associated with third-party relationships. Departments need to understand and/or evaluate risks and the controls each service organization designs, implements, and operates for the assigned operational process and how the service organization's internal control system impacts the department's internal control system. The FMG requires management to complete the review within 30 days of receiving the SOC report. Also, the FMG indicates the departments should consider and document conclusions regarding whether the sub-servicers controls are relevant to the department's control environment and document in their evaluation of the SOC report how these were resolved.
Also, FMG (Part VII, Chapter 2, Section 200) requires the department to divide or segregate duties among different people or implement alternative or compensating controls to mitigate the risk associated with a single user having the ability to perform conflicting duties.
In addition, the State Budget Office's Office of Internal Audit Services SOC report review guidance states that if the report covers a period of less than 6 months, it provides minimal assurance that the controls are in place and that if the gap period is greater than 90 days, the State agency should evaluate if a bridge letter is sufficient or if additional procedures are needed.
Cause
MDHHSʹs internal control was not sufficient to ensure it documented its review of all components of the SOC reports.
Effect
MDHHS cannot ensure general controls of vendor-hosted systems are sufficient to ensure the security of the issuance, redemption, and settlement of EBT benefits. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS improve its monitoring of the operating effectiveness of general controls for the third-party organizations that provide various EBT services.
Management Views
MDHHS agrees with the finding.
FINDING 2023-021
SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Reconciliations
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS is responsible for determining eligibility for SNAP benefits. The State's EBT provider then provides the SNAP recipient with a debit card which can be used for food purchases at authorized retailer stores. The State's EBT contractor is responsible for paying retailers that have accepted EBT cards for qualified purchases. The EBT contractor then receives funds from the State, via wire transfer, as reimbursement for the retail purchases. MDHHS is responsible for reconciling the payments made to retailers by its EBT contractor with the amounts drawn from its EBT account with the U.S. Department of the Treasury.
Condition
MDHHS did not complete daily reconciliations of payments made to retailers by its EBT contractor with the client information recorded in its system and the reports used to make the federal draw. MDHHS developed the Benefit Issuer Food Stamp Report to summarize the total detailed daily client SNAP activity reported by its EBT contractor; however, because of inaccuracies, MDHHS did not use the report in its reconciliation process.
Criteria
Federal regulation 7 CFR 274.1(i)(1) requires state agencies to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies and to report any violations to the federal government.
Also, federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day and to verify retailer credit against the deposit information entered in the Automated Clearing House.
Cause
MDHHS informed us that EBT reconciliations between Bridges, Bridges data warehouse, and the vendor are conducted on a monthly basis using daily data because of the timing of benefit authorization, availability of vendor data, and usage of benefits.
Effect
Without proper reconciliation procedures in place, MDHHS could not ensure daily SNAP payment amounts recorded in its system were accurate. We consider this to be a material weakness and material noncompliance because of the amount of SNAP benefits issued through the EBT process and because this required daily reconciliation was not in place in fiscal year 2023. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS complete daily reconciliations of payments made to retailers by its EBT contractor with client information recorded in its system and the reports used to make the federal draw.
Management Views
MDHHS disagrees that a material weakness and material noncompliance exist. MDHHS federal reporting conducts a daily reconciliation of federal draws and authorizations to retailers based on vendor EBT reports. In addition, MDHHS conducts a monthly reconciliation between Bridges, Bridges data warehouse, and vendor EBT reports using daily data to ensure the client information in Bridges and Bridges data warehouse is accurate. The monthly reconciliation process does not impact the federal draw because the daily reconciliation of the vendor EBT report is used for this purpose. MDHHS provided detailed and accurate descriptions of MDHHS daily and monthly EBT reconciliations to the designated federal awarding agency contacts at the United States Department of Agriculture Food and Nutrition Service Agency that are familiar with MDHHS processes and received confirmation that the current reconciliation processes in place are sufficient to comply with federal regulations.
Auditor's Comments to Management Views
MDHHS acknowledges it does not perform daily reconciliations of payments made to retailers by its EBT contractor to Bridges data although federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day. Also, MDHHS did not sufficiently communicate its EBT process to its regional federal contact person. The daily EBT "reconciliation" noted above does not include Bridges data, but instead uses the EBT contractor report to confirm the accuracy of the federal account balance. Therefore, the regional federal contact person did not have all necessary information to assess if MDHHS's process complied with the federal regulation. In addition, MDHHS did not obtain an opinion from a federal person with the authority to issue an opinion on behalf of the United States Department of Agriculture ensuring consistent interpretation of federal regulations.
Federal regulations 2 CFR 200.516(a)(1) and 2 CFR 200.516(a)(2) state it is the auditor's determination of whether a deficiency in internal control is a significant deficiency or a material weakness and whether a noncompliance with federal statutes, regulations, or the terms and conditions of a federal award is material for the purpose of reporting an audit finding. MDHHS incurred SNAP (ALN 10.551) expenditures of $3.7 billion during fiscal year 2023, with daily draws averaging over $20 million; therefore, the lack of a daily reconciliation increases the risk MDHHS may not detect differences between the State records and the EBT contractor's reports prior to drawing down federal funds.
The finding stands as written.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-022
Pandemic EBT Food Benefits, ALN 10.542, Activities Allowed or Unallowed and Eligibility - Lack of Documentation for School Modality Data Reviews
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not maintain documentation of its efforts to review the accuracy of P-EBT school modality data used to calculate food benefit payments for all eligible students.
Criteria
The Families First Coronavirus Response Act of 2020, Public Law 116-127, as amended, requires MDHHS to have an approved state plan to provide P-EBT food benefits to households with children who would otherwise receive free or reduced-price meals if not for their schools being closed because of the COVID-19 emergency.
MDHHS's P-EBT State Plan states it will review monthly sample modality results for program accuracy, including an interview with school personnel and MDE.
Cause
MDHHS informed us it reviewed the school modality data, but it did not document its review in the log.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments to or on behalf of ineligible students. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support that it appropriately reviews the accuracy of P-EBT school modality data.
Management Views
MDHHS disagrees that not formally documenting the review details on the log rises to the level of a material weakness and material noncompliance.
MDHHS selects a sample of schools that submitted data and verifies the accuracy of P-EBT school modality data reported, documenting the schools reviewed within a log. Following the written business process, P-EBT staff first identify public information available to verify the school's modality data such as the school's calendar or news articles, and then reach out to school administration if public information is not available. If additional steps are required to reconcile the data, P-EBT staff document the support and results, sign off on the reconciliation, and forward to a supervisor for review. For this review period, no discrepancies were identified between what the school reported, and school websites. Since no discrepancies were noted, staff verbally communicated the review results to the manager and the log of sample items reviewed were kept within a shared drive.
Auditor's Comments to Management Views
MDHHS acknowledges it did not document the results of its modality reviews because it verbally communicated the results internally. Documentation of completed reviews is necessary to provide information to both MDHHS supervisors and auditors to validate MDHHS appropriately completed its modality reviews. MDHHS provided a spreadsheet to support its reviews; however, the spreadsheet did not substantiate the reviews were completed. Therefore, without documentation, the auditor cannot perform appropriate audit procedures, including sampling and testing of internal control, to verify MDHHS completed its modality reviews.
Federal regulations 2 CFR 200.516(a)(1) and 2 CFR 516(a)(2) state it is the auditor's determination of whether a deficiency in internal control is a significant deficiency or a material weakness and whether a noncompliance with federal statutes, regulations, or the terms and conditions of a federal award is material for the purpose of reporting an audit finding. The lack of a documented modality review process increases the risk MDHHS may not detect inaccuracies in school reported modality and may authorize payments to ineligible students.
Therefore, the finding stands as written.
FINDING 2023-023
Pandemic EBT Food Benefits, ALN 10.542, Reporting - Accuracy of Financial Reports
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not submit accurate monthly P-EBT financial reports to the U.S. Department of Agriculture (USDA) Food and Nutrition Service (FNS) for 1 of 3 sampled Report of Disaster Supplemental Nutrition Assistance Benefit Issuance (FNS-292B). For this 1 instance, MDHHS
reported inaccurate disaster relief information in the October 2022 FNS-292B. MDHHS overstated:
a. Total value of benefits issued by $377.9 million.
b. Number of persons issued benefits by 963,633.
c. Number of households issued benefits by 802,454.
Criteria
Federal regulation 2 CFR 200.302(b)(2) requires grantees to submit accurate financial data in accordance with a grant program's reporting requirements.
Federal Register 86:89 (11 May 2021) page 25,837 requires state agencies to report the number of eligible children and households receiving P-EBT benefits and total value of the benefits monthly.
Cause
MDHHS informed us its monitoring activities were not sufficient to detect data entry errors included in the submitted report.
Effect
MDHHS may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of P-EBT funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS improve its internal control and submit accurate P-EBT financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2023-024
Fish and Wildlife Cluster, ALN 15.605, 15.611, and 15.626, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Inappropriate Telecommunication Expenditures
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Natural Resources (DNR) did not ensure that telecommunication expenditures charged to the Fish and Wildlife Cluster were incurred for fish and wildlife activities. We reviewed 1 sampled telecommunication transaction related to 196 employees. We sampled 20 of those employees and noted 2 (10%) employees did not work on fish and wildlife activities.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program.
In addition, federal regulation 2 CFR 200.306 requires costs used for matching be allowable costs to the federal award.
Cause
DNR informed us because of an oversight error, it did not timely identify these employees to be removed from the monthly telecommunication bill.
Effect
DNR charged the Fish and Wildlife Cluster for telecommunication expenditures related to employees who worked on non-fish and wildlife activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DNR ensure that telecommunication expenditures charged to the Fish and Wildlife Cluster are incurred for fish and wildlife activities.
Management Views
DNR agrees with the finding.
FINDING 2023-025
Fish and Wildlife Cluster, ALN 15.605, 15.611, and 15.626, Equipment and Real Property Management - Inaccurate Inventory of Equipment
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DNR did not properly account for its capitalized equipment acquired with federal funds. We noted DNR did not assign an equipment identification tag and record the capital equipment in its inventory system for 1 of 6 sampled equipment acquisitions.
Criteria
Federal regulation 2 CFR 200.313(b) requires the state agency to manage equipment acquired under a federal award by the state in accordance with state laws and procedures.
The FMG (Part II, Chapter 21, Section 110) and DNR policy require DNR to tag all equipment and to maintain in its records the tag numbers of all capital assets.
Cause
DNR informed us the equipment was not tagged or included in its inventory system because of an oversight.
Effect
Insufficient capital asset records could increase the risk that equipment may be missing, lost, or stolen. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DNR properly account for its capitalized equipment acquisitions.
Management Views
DNR agrees with the finding.
FINDING 2023-024
Fish and Wildlife Cluster, ALN 15.605, 15.611, and 15.626, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Inappropriate Telecommunication Expenditures
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Natural Resources (DNR) did not ensure that telecommunication expenditures charged to the Fish and Wildlife Cluster were incurred for fish and wildlife activities. We reviewed 1 sampled telecommunication transaction related to 196 employees. We sampled 20 of those employees and noted 2 (10%) employees did not work on fish and wildlife activities.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program.
In addition, federal regulation 2 CFR 200.306 requires costs used for matching be allowable costs to the federal award.
Cause
DNR informed us because of an oversight error, it did not timely identify these employees to be removed from the monthly telecommunication bill.
Effect
DNR charged the Fish and Wildlife Cluster for telecommunication expenditures related to employees who worked on non-fish and wildlife activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DNR ensure that telecommunication expenditures charged to the Fish and Wildlife Cluster are incurred for fish and wildlife activities.
Management Views
DNR agrees with the finding.
FINDING 2023-025
Fish and Wildlife Cluster, ALN 15.605, 15.611, and 15.626, Equipment and Real Property Management - Inaccurate Inventory of Equipment
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DNR did not properly account for its capitalized equipment acquired with federal funds. We noted DNR did not assign an equipment identification tag and record the capital equipment in its inventory system for 1 of 6 sampled equipment acquisitions.
Criteria
Federal regulation 2 CFR 200.313(b) requires the state agency to manage equipment acquired under a federal award by the state in accordance with state laws and procedures.
The FMG (Part II, Chapter 21, Section 110) and DNR policy require DNR to tag all equipment and to maintain in its records the tag numbers of all capital assets.
Cause
DNR informed us the equipment was not tagged or included in its inventory system because of an oversight.
Effect
Insufficient capital asset records could increase the risk that equipment may be missing, lost, or stolen. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DNR properly account for its capitalized equipment acquisitions.
Management Views
DNR agrees with the finding.
FINDING 2023-024
Fish and Wildlife Cluster, ALN 15.605, 15.611, and 15.626, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Inappropriate Telecommunication Expenditures
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Natural Resources (DNR) did not ensure that telecommunication expenditures charged to the Fish and Wildlife Cluster were incurred for fish and wildlife activities. We reviewed 1 sampled telecommunication transaction related to 196 employees. We sampled 20 of those employees and noted 2 (10%) employees did not work on fish and wildlife activities.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program.
In addition, federal regulation 2 CFR 200.306 requires costs used for matching be allowable costs to the federal award.
Cause
DNR informed us because of an oversight error, it did not timely identify these employees to be removed from the monthly telecommunication bill.
Effect
DNR charged the Fish and Wildlife Cluster for telecommunication expenditures related to employees who worked on non-fish and wildlife activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DNR ensure that telecommunication expenditures charged to the Fish and Wildlife Cluster are incurred for fish and wildlife activities.
Management Views
DNR agrees with the finding.
FINDING 2023-025
Fish and Wildlife Cluster, ALN 15.605, 15.611, and 15.626, Equipment and Real Property Management - Inaccurate Inventory of Equipment
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DNR did not properly account for its capitalized equipment acquired with federal funds. We noted DNR did not assign an equipment identification tag and record the capital equipment in its inventory system for 1 of 6 sampled equipment acquisitions.
Criteria
Federal regulation 2 CFR 200.313(b) requires the state agency to manage equipment acquired under a federal award by the state in accordance with state laws and procedures.
The FMG (Part II, Chapter 21, Section 110) and DNR policy require DNR to tag all equipment and to maintain in its records the tag numbers of all capital assets.
Cause
DNR informed us the equipment was not tagged or included in its inventory system because of an oversight.
Effect
Insufficient capital asset records could increase the risk that equipment may be missing, lost, or stolen. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DNR properly account for its capitalized equipment acquisitions.
Management Views
DNR agrees with the finding.
FINDING 2023-024
Fish and Wildlife Cluster, ALN 15.605, 15.611, and 15.626, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Inappropriate Telecommunication Expenditures
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Natural Resources (DNR) did not ensure that telecommunication expenditures charged to the Fish and Wildlife Cluster were incurred for fish and wildlife activities. We reviewed 1 sampled telecommunication transaction related to 196 employees. We sampled 20 of those employees and noted 2 (10%) employees did not work on fish and wildlife activities.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program.
In addition, federal regulation 2 CFR 200.306 requires costs used for matching be allowable costs to the federal award.
Cause
DNR informed us because of an oversight error, it did not timely identify these employees to be removed from the monthly telecommunication bill.
Effect
DNR charged the Fish and Wildlife Cluster for telecommunication expenditures related to employees who worked on non-fish and wildlife activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DNR ensure that telecommunication expenditures charged to the Fish and Wildlife Cluster are incurred for fish and wildlife activities.
Management Views
DNR agrees with the finding.
FINDING 2023-025
Fish and Wildlife Cluster, ALN 15.605, 15.611, and 15.626, Equipment and Real Property Management - Inaccurate Inventory of Equipment
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DNR did not properly account for its capitalized equipment acquired with federal funds. We noted DNR did not assign an equipment identification tag and record the capital equipment in its inventory system for 1 of 6 sampled equipment acquisitions.
Criteria
Federal regulation 2 CFR 200.313(b) requires the state agency to manage equipment acquired under a federal award by the state in accordance with state laws and procedures.
The FMG (Part II, Chapter 21, Section 110) and DNR policy require DNR to tag all equipment and to maintain in its records the tag numbers of all capital assets.
Cause
DNR informed us the equipment was not tagged or included in its inventory system because of an oversight.
Effect
Insufficient capital asset records could increase the risk that equipment may be missing, lost, or stolen. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DNR properly account for its capitalized equipment acquisitions.
Management Views
DNR agrees with the finding.
FINDING 2023-058
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-001.
Finding 2023-001
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Affects all grant awards included under ALN
17.225 on the Schedule of Expenditures of Federal Awards
Type of Finding: Material Noncompliance and Material Weakness
Compliance Requirement: Allowable Costs/Cost Principles and Eligibility
Known Questioned Costs: Undeterminable
Repeat Finding: 2022-001
Systemic or Isolated: Systemic
Criteria: The federal government set a prescribed claim progression and eligibility requirements
for federal programs resulting from the Coronavirus pandemic. If a claimant is eligible for
regular unemployment compensation, the claimant is ineligible for receiving benefits under the
Pandemic Unemployment Assistance (PUA), Pandemic Emergency Unemployment
Compensation (PEUC), or Extended Benefits (EB) programs. In addition, claimants must
exhaust all rights to benefits under the previous claim type within the progression to become
eligible for the subsequent claim type.
Condition: In certain instances, the benefit system allowed for the payment of benefits under the
PUA, PEUC, and EB programs when claimants were eligible for regular unemployment
compensation or prior to the exhaustion of the previous claim type within the progression.
Cause: Proper controls were not set within the benefit system to ensure proper eligibility and
claim progression.
Effect: Payments of benefits under federal programs have no net effect on the net position of the
Fund since the expenditure is offset by a reimbursing federal revenue, whereas payments under
regular unemployment compensation reduce the net position of the Fund. Additionally,
improper payments of benefits under federal programs create unallowed federal costs.
Recommendation: We recommend that the Agency improve controls in the benefit system to
ensure proper eligibility and claim progression.
Views of Responsible Officials: Management agrees with the finding. This issue was also raised
by the U.S. Department of Labor (DOL), Employment and Training Administration (ETA) in an
enhanced desk monitoring review titled The State of Michigan’s Pandemic Unemployment
Assistance (PUA) and Federal Pandemic Unemployment Compensation (FPUC) programs.
Based on correspondence with U.S. DOL, these findings were deemed resolved with no further
action required due to the significant administrative burden involved in correcting the payment
sequencing. All claimants were paid the proper benefits, but the federal program charged was
incorrect in some instances.
Regarding improvements to the controls to prevent a future issue such as this, along with plans to
dedicate sufficient resources to timely audit new programs for compliance, the Agency has
revised its process for prioritizing and completing necessary system updates. Effective May
2023, Agency Services implemented an SQR prioritization process for the Agency. When an
SQR is opened, it is the responsibility of the applicable division to ensure the request is added to
their division priority list and given a priority score (from one to five with one as the highest
priority). Meetings are held bi-weekly between Agency Services and division representatives to
discuss and review the status of each SQR until the change is migrated to production.
FINDING 2023-059
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-002.
Finding 2023-002
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Various
Type of Finding: Material Noncompliance
Compliance Requirement: Special Tests and Provisions, UI Program Integrity - Overpayments
Known Questioned Costs: None
Repeat Finding: 2022-002
Systemic or Isolated: Systematic
Criteria: States are prohibited from providing relief from charges to an employer’s
unemployment compensation account when the benefit overpayments are the result of the
employer’s failure to respond timely or adequately to a request for information.
Condition: The Agency elected to relieve charges to an employer’s unemployment
compensation account when the benefit payment was the result of the employer’s failure to
respond timely or adequately due to the Covid-19 Pandemic causing unforeseen difficulties for
employers within the State.
Cause: The Agency implemented an SQR to credit the charges that would have typically been
charged to the nonresponsive employer’s unemployment compensation account during the
Covid-19 Pandemic. However, there was an error in the logic of the SQR and certain employers
did not have their charges associated with Covid-19 claims relieved.
Effect: Certain nonresponsive employers incorrectly had their unemployment compensation
account charged for benefits during the Covid-19 Pandemic. The Agency’s policy to provide
relief for employers during the Pandemic was not applied consistently to each employer.
Recommendation: We recommend that the Agency review the logic of the SQR that was
implemented to credit the charges that would have typically been charged to the nonresponsive
employer’s unemployment compensation account during the Covid-19 Pandemic and review the
benefits that were charged to employer accounts throughout the Covid-19 Pandemic to determine
which employers were erroneously charged.
Views of Responsible Officials: Management agrees with the finding. The Agency will perform
an analysis of the employers adversely impacted by subsequent adjudications and will determine
the best course of action to ensure fair and equitable treatment of all employers.
FINDING 2023-060
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-003.
Finding 2023-003
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Affects all grant awards included under ALN
17.225 on the Schedule of Expenditures of Federal Awards
Type of Finding: Material Noncompliance
Compliance Requirement: Special Tests and Provisions, UI Program Integrity – Overpayments
Known Questioned Costs: None
Repeat Finding: 2022-003
Systemic or Isolated: Systemic
Criteria: Offsets of future unemployment compensation payments to recover prior overpayments
are limited to the recovery of the prior overpayment amount in accordance with federal guidance.
Condition: Unapplied offset recoveries attributable to subsequent period adjustments to the
original benefit overpayment were used to recover penalties and interest.
Cause: Due to the continual movement of monies as a result of changes in amounts due resulting
from corrections or appeal decisions, a parameter has not been established in the benefit system
to account for every possible scenario to prevent the allocation of unapplied recoveries to
penalties and interest after overpayment amounts due were satisfied.
Effect: Interest and penalties due under federal and state law were recovered from offsets of
unemployment compensation payments.
Recommendation: We recommend that the Agency add a parameter to the automated system to
ensure adjustments to benefit offsets are only applied to the recovery of prior overpayment
amounts.
Views of Responsible Officials: Management agrees with the finding. The necessary parameter
was previously implemented that prevented the inappropriate allocations on current and
subsequent benefit payment recoveries; however, subsequent reallocations of monies under
specific circumstance caused prior recoupments to improperly reallocate. The Trust Fund
Accounting section will perform a monthly review to confirm that no prior period adjustments
reallocated recoupments to penalty and interest. The review to date has determined that the
adjustment amounts are immaterial. An automated solution does not appear obtainable in the
current system. The Agency is in the process of implementing a new automated system and will
ensure these adjustments are programmed correctly.
FINDING 2023-058
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-001.
Finding 2023-001
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Affects all grant awards included under ALN
17.225 on the Schedule of Expenditures of Federal Awards
Type of Finding: Material Noncompliance and Material Weakness
Compliance Requirement: Allowable Costs/Cost Principles and Eligibility
Known Questioned Costs: Undeterminable
Repeat Finding: 2022-001
Systemic or Isolated: Systemic
Criteria: The federal government set a prescribed claim progression and eligibility requirements
for federal programs resulting from the Coronavirus pandemic. If a claimant is eligible for
regular unemployment compensation, the claimant is ineligible for receiving benefits under the
Pandemic Unemployment Assistance (PUA), Pandemic Emergency Unemployment
Compensation (PEUC), or Extended Benefits (EB) programs. In addition, claimants must
exhaust all rights to benefits under the previous claim type within the progression to become
eligible for the subsequent claim type.
Condition: In certain instances, the benefit system allowed for the payment of benefits under the
PUA, PEUC, and EB programs when claimants were eligible for regular unemployment
compensation or prior to the exhaustion of the previous claim type within the progression.
Cause: Proper controls were not set within the benefit system to ensure proper eligibility and
claim progression.
Effect: Payments of benefits under federal programs have no net effect on the net position of the
Fund since the expenditure is offset by a reimbursing federal revenue, whereas payments under
regular unemployment compensation reduce the net position of the Fund. Additionally,
improper payments of benefits under federal programs create unallowed federal costs.
Recommendation: We recommend that the Agency improve controls in the benefit system to
ensure proper eligibility and claim progression.
Views of Responsible Officials: Management agrees with the finding. This issue was also raised
by the U.S. Department of Labor (DOL), Employment and Training Administration (ETA) in an
enhanced desk monitoring review titled The State of Michigan’s Pandemic Unemployment
Assistance (PUA) and Federal Pandemic Unemployment Compensation (FPUC) programs.
Based on correspondence with U.S. DOL, these findings were deemed resolved with no further
action required due to the significant administrative burden involved in correcting the payment
sequencing. All claimants were paid the proper benefits, but the federal program charged was
incorrect in some instances.
Regarding improvements to the controls to prevent a future issue such as this, along with plans to
dedicate sufficient resources to timely audit new programs for compliance, the Agency has
revised its process for prioritizing and completing necessary system updates. Effective May
2023, Agency Services implemented an SQR prioritization process for the Agency. When an
SQR is opened, it is the responsibility of the applicable division to ensure the request is added to
their division priority list and given a priority score (from one to five with one as the highest
priority). Meetings are held bi-weekly between Agency Services and division representatives to
discuss and review the status of each SQR until the change is migrated to production.
FINDING 2023-059
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-002.
Finding 2023-002
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Various
Type of Finding: Material Noncompliance
Compliance Requirement: Special Tests and Provisions, UI Program Integrity - Overpayments
Known Questioned Costs: None
Repeat Finding: 2022-002
Systemic or Isolated: Systematic
Criteria: States are prohibited from providing relief from charges to an employer’s
unemployment compensation account when the benefit overpayments are the result of the
employer’s failure to respond timely or adequately to a request for information.
Condition: The Agency elected to relieve charges to an employer’s unemployment
compensation account when the benefit payment was the result of the employer’s failure to
respond timely or adequately due to the Covid-19 Pandemic causing unforeseen difficulties for
employers within the State.
Cause: The Agency implemented an SQR to credit the charges that would have typically been
charged to the nonresponsive employer’s unemployment compensation account during the
Covid-19 Pandemic. However, there was an error in the logic of the SQR and certain employers
did not have their charges associated with Covid-19 claims relieved.
Effect: Certain nonresponsive employers incorrectly had their unemployment compensation
account charged for benefits during the Covid-19 Pandemic. The Agency’s policy to provide
relief for employers during the Pandemic was not applied consistently to each employer.
Recommendation: We recommend that the Agency review the logic of the SQR that was
implemented to credit the charges that would have typically been charged to the nonresponsive
employer’s unemployment compensation account during the Covid-19 Pandemic and review the
benefits that were charged to employer accounts throughout the Covid-19 Pandemic to determine
which employers were erroneously charged.
Views of Responsible Officials: Management agrees with the finding. The Agency will perform
an analysis of the employers adversely impacted by subsequent adjudications and will determine
the best course of action to ensure fair and equitable treatment of all employers.
FINDING 2023-060
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-003.
Finding 2023-003
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Affects all grant awards included under ALN
17.225 on the Schedule of Expenditures of Federal Awards
Type of Finding: Material Noncompliance
Compliance Requirement: Special Tests and Provisions, UI Program Integrity – Overpayments
Known Questioned Costs: None
Repeat Finding: 2022-003
Systemic or Isolated: Systemic
Criteria: Offsets of future unemployment compensation payments to recover prior overpayments
are limited to the recovery of the prior overpayment amount in accordance with federal guidance.
Condition: Unapplied offset recoveries attributable to subsequent period adjustments to the
original benefit overpayment were used to recover penalties and interest.
Cause: Due to the continual movement of monies as a result of changes in amounts due resulting
from corrections or appeal decisions, a parameter has not been established in the benefit system
to account for every possible scenario to prevent the allocation of unapplied recoveries to
penalties and interest after overpayment amounts due were satisfied.
Effect: Interest and penalties due under federal and state law were recovered from offsets of
unemployment compensation payments.
Recommendation: We recommend that the Agency add a parameter to the automated system to
ensure adjustments to benefit offsets are only applied to the recovery of prior overpayment
amounts.
Views of Responsible Officials: Management agrees with the finding. The necessary parameter
was previously implemented that prevented the inappropriate allocations on current and
subsequent benefit payment recoveries; however, subsequent reallocations of monies under
specific circumstance caused prior recoupments to improperly reallocate. The Trust Fund
Accounting section will perform a monthly review to confirm that no prior period adjustments
reallocated recoupments to penalty and interest. The review to date has determined that the
adjustment amounts are immaterial. An automated solution does not appear obtainable in the
current system. The Agency is in the process of implementing a new automated system and will
ensure these adjustments are programmed correctly.
FINDING 2023-058
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-001.
Finding 2023-001
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Affects all grant awards included under ALN
17.225 on the Schedule of Expenditures of Federal Awards
Type of Finding: Material Noncompliance and Material Weakness
Compliance Requirement: Allowable Costs/Cost Principles and Eligibility
Known Questioned Costs: Undeterminable
Repeat Finding: 2022-001
Systemic or Isolated: Systemic
Criteria: The federal government set a prescribed claim progression and eligibility requirements
for federal programs resulting from the Coronavirus pandemic. If a claimant is eligible for
regular unemployment compensation, the claimant is ineligible for receiving benefits under the
Pandemic Unemployment Assistance (PUA), Pandemic Emergency Unemployment
Compensation (PEUC), or Extended Benefits (EB) programs. In addition, claimants must
exhaust all rights to benefits under the previous claim type within the progression to become
eligible for the subsequent claim type.
Condition: In certain instances, the benefit system allowed for the payment of benefits under the
PUA, PEUC, and EB programs when claimants were eligible for regular unemployment
compensation or prior to the exhaustion of the previous claim type within the progression.
Cause: Proper controls were not set within the benefit system to ensure proper eligibility and
claim progression.
Effect: Payments of benefits under federal programs have no net effect on the net position of the
Fund since the expenditure is offset by a reimbursing federal revenue, whereas payments under
regular unemployment compensation reduce the net position of the Fund. Additionally,
improper payments of benefits under federal programs create unallowed federal costs.
Recommendation: We recommend that the Agency improve controls in the benefit system to
ensure proper eligibility and claim progression.
Views of Responsible Officials: Management agrees with the finding. This issue was also raised
by the U.S. Department of Labor (DOL), Employment and Training Administration (ETA) in an
enhanced desk monitoring review titled The State of Michigan’s Pandemic Unemployment
Assistance (PUA) and Federal Pandemic Unemployment Compensation (FPUC) programs.
Based on correspondence with U.S. DOL, these findings were deemed resolved with no further
action required due to the significant administrative burden involved in correcting the payment
sequencing. All claimants were paid the proper benefits, but the federal program charged was
incorrect in some instances.
Regarding improvements to the controls to prevent a future issue such as this, along with plans to
dedicate sufficient resources to timely audit new programs for compliance, the Agency has
revised its process for prioritizing and completing necessary system updates. Effective May
2023, Agency Services implemented an SQR prioritization process for the Agency. When an
SQR is opened, it is the responsibility of the applicable division to ensure the request is added to
their division priority list and given a priority score (from one to five with one as the highest
priority). Meetings are held bi-weekly between Agency Services and division representatives to
discuss and review the status of each SQR until the change is migrated to production.
FINDING 2023-059
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-002.
Finding 2023-002
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Various
Type of Finding: Material Noncompliance
Compliance Requirement: Special Tests and Provisions, UI Program Integrity - Overpayments
Known Questioned Costs: None
Repeat Finding: 2022-002
Systemic or Isolated: Systematic
Criteria: States are prohibited from providing relief from charges to an employer’s
unemployment compensation account when the benefit overpayments are the result of the
employer’s failure to respond timely or adequately to a request for information.
Condition: The Agency elected to relieve charges to an employer’s unemployment
compensation account when the benefit payment was the result of the employer’s failure to
respond timely or adequately due to the Covid-19 Pandemic causing unforeseen difficulties for
employers within the State.
Cause: The Agency implemented an SQR to credit the charges that would have typically been
charged to the nonresponsive employer’s unemployment compensation account during the
Covid-19 Pandemic. However, there was an error in the logic of the SQR and certain employers
did not have their charges associated with Covid-19 claims relieved.
Effect: Certain nonresponsive employers incorrectly had their unemployment compensation
account charged for benefits during the Covid-19 Pandemic. The Agency’s policy to provide
relief for employers during the Pandemic was not applied consistently to each employer.
Recommendation: We recommend that the Agency review the logic of the SQR that was
implemented to credit the charges that would have typically been charged to the nonresponsive
employer’s unemployment compensation account during the Covid-19 Pandemic and review the
benefits that were charged to employer accounts throughout the Covid-19 Pandemic to determine
which employers were erroneously charged.
Views of Responsible Officials: Management agrees with the finding. The Agency will perform
an analysis of the employers adversely impacted by subsequent adjudications and will determine
the best course of action to ensure fair and equitable treatment of all employers.
FINDING 2023-060
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-003.
Finding 2023-003
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Affects all grant awards included under ALN
17.225 on the Schedule of Expenditures of Federal Awards
Type of Finding: Material Noncompliance
Compliance Requirement: Special Tests and Provisions, UI Program Integrity – Overpayments
Known Questioned Costs: None
Repeat Finding: 2022-003
Systemic or Isolated: Systemic
Criteria: Offsets of future unemployment compensation payments to recover prior overpayments
are limited to the recovery of the prior overpayment amount in accordance with federal guidance.
Condition: Unapplied offset recoveries attributable to subsequent period adjustments to the
original benefit overpayment were used to recover penalties and interest.
Cause: Due to the continual movement of monies as a result of changes in amounts due resulting
from corrections or appeal decisions, a parameter has not been established in the benefit system
to account for every possible scenario to prevent the allocation of unapplied recoveries to
penalties and interest after overpayment amounts due were satisfied.
Effect: Interest and penalties due under federal and state law were recovered from offsets of
unemployment compensation payments.
Recommendation: We recommend that the Agency add a parameter to the automated system to
ensure adjustments to benefit offsets are only applied to the recovery of prior overpayment
amounts.
Views of Responsible Officials: Management agrees with the finding. The necessary parameter
was previously implemented that prevented the inappropriate allocations on current and
subsequent benefit payment recoveries; however, subsequent reallocations of monies under
specific circumstance caused prior recoupments to improperly reallocate. The Trust Fund
Accounting section will perform a monthly review to confirm that no prior period adjustments
reallocated recoupments to penalty and interest. The review to date has determined that the
adjustment amounts are immaterial. An automated solution does not appear obtainable in the
current system. The Agency is in the process of implementing a new automated system and will
ensure these adjustments are programmed correctly.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-026
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Period of Performance - Grant Reimbursement Approval Procedures
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Environment, Great Lakes, and Energy (EGLE) did not review and approve drinking water and clean water grant reimbursement requests for 1 of 8 sampled payments to ensure the requests are reasonable and appropriate.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards.
Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program.
Cause
EGLE informed us it determined instances where for a singular grant, it did not follow the established process for reviewing and approving reimbursement requests.
Effect
EGLE could potentially reimburse for ineligible project expenditures. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend EGLE review and approve drinking water and clean water grant reimbursement requests to ensure the requests are reasonable and appropriate.
Management Views
EGLE agrees with the finding.
FINDING 2023-027
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Period of Performance - Insufficient Respite Payment Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not have sufficient controls in place to prevent or detect and correct payment errors made to respite grant recipients. We noted MDHHS did not review and approve respite grant payments subsequent to input into the Medical Services Administration Manual Payment System. Our review disclosed MDHHS issued duplicated payments to two recipients.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program.
Cause
MDHHS informed us limited staff resources contributed to the lack of reviews and approvals of the respite grant payments.
Effect
The deficiencies could potentially result in improper payments to recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS improve its controls to prevent or detect and correct payment errors made to respite grant recipients.
Management Views
MDHHS agrees with the finding.
FINDING 2023-028
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Procurement and Suspension and Debarment - Lack of Required Contract Provisions
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DTMB did not include all applicable required provisions in 1 (4%) of 23 sampled contracts executed during fiscal year 2023.
Criteria
Federal regulation 2 CFR 200.327 states the nonfederal entity's contracts must contain the applicable provisions described in Appendix II to Part 200. Appendix II to Part 200 states, in addition to other provisions required by the federal agency or nonfederal entity, all contracts made by the nonfederal entity must contain provisions covering the provisions in Appendix II as applicable.
Cause
DTMB informed us the noncompliant contract was due to the utilization of an existing competitively bid contract in which the project was initially funded with nonfederal funding. DTMB stated funding source changes are not typical; when the project funding was revised, an error was made in not ensuring it included the necessary provisions.
Effect
The contractor may not comply with the required federal provisions because the State did not include the provisions in the contract. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend that DTMB include all applicable required provisions in contracts of federal awards.
Management Views
DTMB agrees with the finding.
FINDING 2023-029
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Procurement and Suspension and Debarment - Suspension and Debarment Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not have an adequate process to ensure the Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) subrecipients were not suspended or debarred prior to its plans to enter into grant agreements for 3 of the 5 sampled subrecipients.
Criteria
Federal regulation 2 CFR 180.300 requires when MDE enters into a covered transaction with a subrecipient with whom it plans to do business, it must verify that the subrecipient is not suspended or debarred. This can be accomplished by checking the federal website, collecting a certification, or adding a clause or condition to the covered transaction agreement.
Cause
For 2 subrecipients, MDE believes the reference to the entire Uniform Guidance (federal regulation 2 CFR 200) in the grant agreement constitutes verification the subrecipients are not suspended or debarred; therefore, MDE did not add a specific suspension or debarment clause or cite the specific suspension and debarment regulation (federal regulation 2 CFR 200.214). For the other subrecipient, MDE informed us its process was not always sufficient to ensure document retention of its verification to the federal website.
Effect
An increased risk exists that MDE could provide grant funds to suspended or debarred subrecipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None. We reviewed the federal website and noted these 3 subrecipients were not suspended or debarred; therefore, we did not question the costs.
Recommendation
We recommend MDE establish an adequate process to ensure CSLFRF subrecipients are not suspended or debarred prior to its plans to enter into grant agreements.
Management Views
MDE agrees with the finding.
FINDING 2023-030
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Reporting - Workfront Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DTMB did not fully establish effective security management and access controls over Workfront. DTMB program staff utilize Workfront to collect and prepare all CSLFRF data reported to the U.S. Department of the Treasury. We noted:
a. DTMB did not maintain documentation to support it approved the system role for all 9 sampled Workfront users.
b. DTMB did not review all privileged accounts on a semiannual basis for Workfront users.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to Workfront.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully establish effective security management and access controls over Workfront.
Management Views
DTMB agrees with the finding.
FINDING 2023-031
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Reporting - Workfront Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DTMB did not fully implement an effective change management process over Workfront. We sampled 4 Workfront change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
DTMB informed us the development team met with program management to discuss the necessary system changes to resolve the identified issues, but it did not maintain documentation of these meetings.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Workfront. As a result, an increased risk exists that DTMB cannot ensure Workfront is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement an effective change management process over Workfront.
Management Views
DTMB agrees with the finding.
FINDING 2023-032
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and MDE did not report to their subrecipients all subaward information as required by the Uniform Guidance. We noted:
a. MDHHS did not report the correct unique entity identifier (UEI) or FAIN for all 4 sampled CSLFRF subrecipients.
b. MDE did not correctly report one or more of the following for 5 of 6 sampled CSLFRF subrecipients: subrecipient name that matches the name associated with its UEI, unique entity identifier, FAIN, and closeout terms and conditions.
Criteria
Federal regulation 2 CFR 200.332(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
For part a., MDHHS informed us because of an oversight, it did not use the correct ALN when determining the FAIN, and the grantee profile contained the Data Universal Numbering System (DUNS) number rather than the UEI.
For part b., MDE informed us because of an oversight, it did not use the appropriately updated grant agreement templates with the correct subaward information for fiscal year 2023.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and MDE report to their subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MDHHS and MDE agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-012
Title I Grants to Local Educational Agencies, ALN 84.010 and Supporting Effective Instruction State Grants, ALN 84.367 - Participation of Private School Children
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not obtain and review the local educational agencies' (LEAsʹ) consultation forms to ensure the LEAs determined the appropriate equitable services provided to private school children for all 17 sampled Title I LEAs and all 20 sampled Supporting Effective Instruction State Grants (SEISG) LEAs.
Criteria
Federal laws 20 USC 6320(a) and 20 USC 7881(a) state LEAs must engage in timely and meaningful consultation with private school officials and provide eligible private school children, their teachers or other educational personnel, and/or their families with equitable services or other benefits under the federal programs. Also, federal laws 20 USC 6320(b) and 20 USC 7881(c) state each LEA shall maintain its own records and provide to the state educational agency a written affirmation signed by the officials of each private school that the meaningful consultation occurred.
MDEʹs written policies require LEAs to submit completed consultation forms in GEMS/MARS for review by the MDE Equitable Services Ombudsman.
Cause
MDEʹs internal control and monitoring activities were not sufficient to ensure it obtained and reviewed the consultation forms. MDE contacted the LEAs and obtained the consultation forms for 13 sampled Title I LEAs and 15 sampled SEISG LEAs subsequent to our review.
Effect
Insufficient review of LEA's consultation forms may result in eligible private school children not receiving the appropriate equitable services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE obtain and review the LEAsʹ consultation forms to ensure the LEAs determined the appropriate equitable services provided to private school children.
Management Views
MDE agrees with the finding.
FINDING 2023-033
Title I Grants to Local Educational Agencies, ALN 84.010, Matching, Level of Effort, and Earmarking - Supplement Not Supplant Monitoring Procedures
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not sufficiently monitor the LEAs to ensure they had a written methodology to demonstrate compliance with supplement not supplant requirements. MDE's process is to perform an annual risk-based approach of over 850 LEAs and then select higher risk LEAs to conduct on-site reviews that include reviews of the LEA's supplement not supplant methodology. We noted MDE performed an on-site review at 1 LEA during fiscal year 2023.
Criteria
Federal law 20 USC 6321(b) states an LEA shall use Title I, Part A funds only to supplement the funds that would be available from state and local sources for the education of students participating in Title I, Part A programs and not to supplant these funds. The U.S. Department of Education's supplement not supplant guidance indicates the state educational agency shall monitor its LEAs to ensure compliance with the requirements of the federal law, which include reviewing an LEA for a compliant methodology for allocating state and local funds.
Cause
MDE informed us system issues and competing priorities impacted its ability to perform on-site reviews.
Effect
LEAs may have improperly utilized federal funds instead of State or local funding for primary services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE sufficiently monitor LEAs to ensure they have written methodologies to demonstrate compliance with supplement not supplant requirements.
Management Views
MDE agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-012
Title I Grants to Local Educational Agencies, ALN 84.010 and Supporting Effective Instruction State Grants, ALN 84.367 - Participation of Private School Children
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not obtain and review the local educational agencies' (LEAsʹ) consultation forms to ensure the LEAs determined the appropriate equitable services provided to private school children for all 17 sampled Title I LEAs and all 20 sampled Supporting Effective Instruction State Grants (SEISG) LEAs.
Criteria
Federal laws 20 USC 6320(a) and 20 USC 7881(a) state LEAs must engage in timely and meaningful consultation with private school officials and provide eligible private school children, their teachers or other educational personnel, and/or their families with equitable services or other benefits under the federal programs. Also, federal laws 20 USC 6320(b) and 20 USC 7881(c) state each LEA shall maintain its own records and provide to the state educational agency a written affirmation signed by the officials of each private school that the meaningful consultation occurred.
MDEʹs written policies require LEAs to submit completed consultation forms in GEMS/MARS for review by the MDE Equitable Services Ombudsman.
Cause
MDEʹs internal control and monitoring activities were not sufficient to ensure it obtained and reviewed the consultation forms. MDE contacted the LEAs and obtained the consultation forms for 13 sampled Title I LEAs and 15 sampled SEISG LEAs subsequent to our review.
Effect
Insufficient review of LEA's consultation forms may result in eligible private school children not receiving the appropriate equitable services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE obtain and review the LEAsʹ consultation forms to ensure the LEAs determined the appropriate equitable services provided to private school children.
Management Views
MDE agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-034
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - Child Care Stabilization Grant
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not have sufficient controls in place to ensure child care stabilization grant funds were used for authorized activities.
Our review of 7 (18%) of 40 sampled child care providers noted the provider's file did not include adequate documentation to support the provider used the grant funds on authorized activities, such as staff bonuses; rent, utilities, facilities, maintenance, and insurance; personal protective equipment; or goods and services.
Criteria
The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers and the providers may use the funds on a variety of key operating expenses, including wages and benefits, rent and utilities, clearing and sanitization supplies and services, and other goods and services necessary to maintain or resume child care services. Also, MDE's written procedures require child care providers to submit documentation, such as itemized receipts or payroll reports, to support they used the grant funds for allowable expenses.
HHS's Administration for Children and Families child care stabilization fund guidance indicates the lead agencies should collect information from the child care providers regarding how they utilized the grant funds.
Cause
MDE's post-payment review process was not sufficient to ensure staff verified the providers submitted adequate documentation to support the use of grant funds.
Effect
We consider this to be a material weakness and material noncompliance because MDE may have not requested repayment of grant funds from child care providers for unallowable activities and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $205,706 - federal share.
Recommendation
We recommend MiLEAP implement sufficient controls to ensure child care stabilization grant funds are used for authorized activities.
Management Views
MiLEAP agrees with the finding.
FINDING 2023-035
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 3 (8%) of the 40 cases we reviewed. Our review disclosed:
a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 2 (5%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services.
b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 1 (3%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits.
Criteria
Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider.
Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan.
Cause
MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered all required verification documentation in the client's case record to support eligibility.
Effect
MDE may have made payments on behalf of ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $127 - federal share.
• $52 - State share of costs MDE inappropriately used as matching.
Recommendation
We recommend MiLEAP and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements.
Management Views
MiLEAP and MDHHS agree with the finding.
FINDING 2023-036
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements
See Schedule of Findings and Questioned Costs for chart/table.
Background
In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2023, LARA was responsible for performing on-site inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period.
Condition
MDE and LARA did not perform timely inspections to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 53 sampled licensed providers for the CCDF Cluster payments disclosed LARA did not ensure timely annual on-site inspections for 8 (15%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection.
Criteria
Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect, under State, local, or tribal law, requirements designed, implemented, and enforced to protect the health and safety of children and provide the minimum health and safety topics applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards.
Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards.
Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations.
Cause
LARA informed us limited resources impacted the timeliness of some inspections.
Effect
MDE and LARA may not have identified the child care providers potential noncompliance with all applicable health and safety requirements in a timely manner, resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP perform timely inspections to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments.
Management Views
LARA and MiLEAP agree with the finding.
FINDING 2023-037
CCDF Cluster, ALN 93.575 and 93.596, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted MDE did not report the unique entity identifier or federal award project description for 1 of 6 sampled CCDF subawards.
Criteria
Federal regulation 45 CFR 75.352(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MiLEAP agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-034
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - Child Care Stabilization Grant
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not have sufficient controls in place to ensure child care stabilization grant funds were used for authorized activities.
Our review of 7 (18%) of 40 sampled child care providers noted the provider's file did not include adequate documentation to support the provider used the grant funds on authorized activities, such as staff bonuses; rent, utilities, facilities, maintenance, and insurance; personal protective equipment; or goods and services.
Criteria
The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers and the providers may use the funds on a variety of key operating expenses, including wages and benefits, rent and utilities, clearing and sanitization supplies and services, and other goods and services necessary to maintain or resume child care services. Also, MDE's written procedures require child care providers to submit documentation, such as itemized receipts or payroll reports, to support they used the grant funds for allowable expenses.
HHS's Administration for Children and Families child care stabilization fund guidance indicates the lead agencies should collect information from the child care providers regarding how they utilized the grant funds.
Cause
MDE's post-payment review process was not sufficient to ensure staff verified the providers submitted adequate documentation to support the use of grant funds.
Effect
We consider this to be a material weakness and material noncompliance because MDE may have not requested repayment of grant funds from child care providers for unallowable activities and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $205,706 - federal share.
Recommendation
We recommend MiLEAP implement sufficient controls to ensure child care stabilization grant funds are used for authorized activities.
Management Views
MiLEAP agrees with the finding.
FINDING 2023-035
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 3 (8%) of the 40 cases we reviewed. Our review disclosed:
a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 2 (5%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services.
b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 1 (3%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits.
Criteria
Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider.
Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan.
Cause
MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered all required verification documentation in the client's case record to support eligibility.
Effect
MDE may have made payments on behalf of ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $127 - federal share.
• $52 - State share of costs MDE inappropriately used as matching.
Recommendation
We recommend MiLEAP and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements.
Management Views
MiLEAP and MDHHS agree with the finding.
FINDING 2023-036
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements
See Schedule of Findings and Questioned Costs for chart/table.
Background
In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2023, LARA was responsible for performing on-site inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period.
Condition
MDE and LARA did not perform timely inspections to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 53 sampled licensed providers for the CCDF Cluster payments disclosed LARA did not ensure timely annual on-site inspections for 8 (15%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection.
Criteria
Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect, under State, local, or tribal law, requirements designed, implemented, and enforced to protect the health and safety of children and provide the minimum health and safety topics applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards.
Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards.
Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations.
Cause
LARA informed us limited resources impacted the timeliness of some inspections.
Effect
MDE and LARA may not have identified the child care providers potential noncompliance with all applicable health and safety requirements in a timely manner, resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP perform timely inspections to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments.
Management Views
LARA and MiLEAP agree with the finding.
FINDING 2023-037
CCDF Cluster, ALN 93.575 and 93.596, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted MDE did not report the unique entity identifier or federal award project description for 1 of 6 sampled CCDF subawards.
Criteria
Federal regulation 45 CFR 75.352(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MiLEAP agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-034
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - Child Care Stabilization Grant
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not have sufficient controls in place to ensure child care stabilization grant funds were used for authorized activities.
Our review of 7 (18%) of 40 sampled child care providers noted the provider's file did not include adequate documentation to support the provider used the grant funds on authorized activities, such as staff bonuses; rent, utilities, facilities, maintenance, and insurance; personal protective equipment; or goods and services.
Criteria
The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers and the providers may use the funds on a variety of key operating expenses, including wages and benefits, rent and utilities, clearing and sanitization supplies and services, and other goods and services necessary to maintain or resume child care services. Also, MDE's written procedures require child care providers to submit documentation, such as itemized receipts or payroll reports, to support they used the grant funds for allowable expenses.
HHS's Administration for Children and Families child care stabilization fund guidance indicates the lead agencies should collect information from the child care providers regarding how they utilized the grant funds.
Cause
MDE's post-payment review process was not sufficient to ensure staff verified the providers submitted adequate documentation to support the use of grant funds.
Effect
We consider this to be a material weakness and material noncompliance because MDE may have not requested repayment of grant funds from child care providers for unallowable activities and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $205,706 - federal share.
Recommendation
We recommend MiLEAP implement sufficient controls to ensure child care stabilization grant funds are used for authorized activities.
Management Views
MiLEAP agrees with the finding.
FINDING 2023-035
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 3 (8%) of the 40 cases we reviewed. Our review disclosed:
a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 2 (5%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services.
b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 1 (3%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits.
Criteria
Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider.
Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan.
Cause
MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered all required verification documentation in the client's case record to support eligibility.
Effect
MDE may have made payments on behalf of ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $127 - federal share.
• $52 - State share of costs MDE inappropriately used as matching.
Recommendation
We recommend MiLEAP and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements.
Management Views
MiLEAP and MDHHS agree with the finding.
FINDING 2023-036
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements
See Schedule of Findings and Questioned Costs for chart/table.
Background
In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2023, LARA was responsible for performing on-site inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period.
Condition
MDE and LARA did not perform timely inspections to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 53 sampled licensed providers for the CCDF Cluster payments disclosed LARA did not ensure timely annual on-site inspections for 8 (15%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection.
Criteria
Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect, under State, local, or tribal law, requirements designed, implemented, and enforced to protect the health and safety of children and provide the minimum health and safety topics applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards.
Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards.
Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations.
Cause
LARA informed us limited resources impacted the timeliness of some inspections.
Effect
MDE and LARA may not have identified the child care providers potential noncompliance with all applicable health and safety requirements in a timely manner, resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP perform timely inspections to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments.
Management Views
LARA and MiLEAP agree with the finding.
FINDING 2023-037
CCDF Cluster, ALN 93.575 and 93.596, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted MDE did not report the unique entity identifier or federal award project description for 1 of 6 sampled CCDF subawards.
Criteria
Federal regulation 45 CFR 75.352(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MiLEAP agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-034
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - Child Care Stabilization Grant
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not have sufficient controls in place to ensure child care stabilization grant funds were used for authorized activities.
Our review of 7 (18%) of 40 sampled child care providers noted the provider's file did not include adequate documentation to support the provider used the grant funds on authorized activities, such as staff bonuses; rent, utilities, facilities, maintenance, and insurance; personal protective equipment; or goods and services.
Criteria
The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers and the providers may use the funds on a variety of key operating expenses, including wages and benefits, rent and utilities, clearing and sanitization supplies and services, and other goods and services necessary to maintain or resume child care services. Also, MDE's written procedures require child care providers to submit documentation, such as itemized receipts or payroll reports, to support they used the grant funds for allowable expenses.
HHS's Administration for Children and Families child care stabilization fund guidance indicates the lead agencies should collect information from the child care providers regarding how they utilized the grant funds.
Cause
MDE's post-payment review process was not sufficient to ensure staff verified the providers submitted adequate documentation to support the use of grant funds.
Effect
We consider this to be a material weakness and material noncompliance because MDE may have not requested repayment of grant funds from child care providers for unallowable activities and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $205,706 - federal share.
Recommendation
We recommend MiLEAP implement sufficient controls to ensure child care stabilization grant funds are used for authorized activities.
Management Views
MiLEAP agrees with the finding.
FINDING 2023-035
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 3 (8%) of the 40 cases we reviewed. Our review disclosed:
a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 2 (5%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services.
b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 1 (3%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits.
Criteria
Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider.
Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan.
Cause
MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered all required verification documentation in the client's case record to support eligibility.
Effect
MDE may have made payments on behalf of ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $127 - federal share.
• $52 - State share of costs MDE inappropriately used as matching.
Recommendation
We recommend MiLEAP and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements.
Management Views
MiLEAP and MDHHS agree with the finding.
FINDING 2023-036
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements
See Schedule of Findings and Questioned Costs for chart/table.
Background
In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2023, LARA was responsible for performing on-site inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period.
Condition
MDE and LARA did not perform timely inspections to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 53 sampled licensed providers for the CCDF Cluster payments disclosed LARA did not ensure timely annual on-site inspections for 8 (15%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection.
Criteria
Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect, under State, local, or tribal law, requirements designed, implemented, and enforced to protect the health and safety of children and provide the minimum health and safety topics applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards.
Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards.
Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations.
Cause
LARA informed us limited resources impacted the timeliness of some inspections.
Effect
MDE and LARA may not have identified the child care providers potential noncompliance with all applicable health and safety requirements in a timely manner, resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP perform timely inspections to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments.
Management Views
LARA and MiLEAP agree with the finding.
FINDING 2023-037
CCDF Cluster, ALN 93.575 and 93.596, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted MDE did not report the unique entity identifier or federal award project description for 1 of 6 sampled CCDF subawards.
Criteria
Federal regulation 45 CFR 75.352(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MiLEAP agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-005
CHAMPS General Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is a medical assistance claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems* contained potentially vulnerable database configurations.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
Cause
DTMB informed us that competing priorities and the need for additional time to review the impact of implementing the tailored configurations, due to the change management process, delayed the implementation of tailored configuration recommendations.
Effect
Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database.
Management Views
Although MDHHS and DTMB delayed the implementation of SOM tailored configurations, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data.
DTMB has implemented and continues to implement the manufacturer's recommendations regarding security configurations and performs regular database and operating system patching. Additionally, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards.
Auditor's Comments to Management Views
We determined, and DTMB and MDHHS acknowledged, they did not fully implement the tailored configurations; therefore, the potential vulnerabilities and security risk still exist.
The finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Background
In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP.
Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. These continuous enrollment conditions ended March 31, 2023 with the passage of the Consolidated Appropriations Act of 2023, and states were required to initiate all redeterminations within a 12-month unwinding period. MDHHS began initiating redeterminations in June 2023. We sampled beneficiaries for each program who either had a benefit period which started during fiscal year 2023 or who had a benefit period which started prior to fiscal year 2023 and had a redetermination during the months of June through September 2023.
We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table.
For an estimated 22,428 Medicaid and 8,520 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested.
The results of the testing for the remaining 59 Medicaid and 56 CHIP beneficiaries we were able to review are summarized in the finding below.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 5 (8%) of 59 Medicaid and 12 (21%) of 56 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 59 Medicaid and 1 (2%) of 56 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 2 (3%) of 59 Medicaid and 4 (7%) of 56 CHIP cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulations 42 CFR 435.912(c) and 42 CFR 457.340(d) require MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
Cause
For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions.
For part b., MDHHS indicated the missing documentation resulted from staff oversight.
For part c., MDHHS indicated limited staff resources and a significantly higher number of renewals due to the Public Health Emergency affected its ability to determine beneficiary eligibility within the required time frame.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 10% Medicaid and 29% CHIP unduplicated error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $2,211 - federal share.
• $762 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $33.4 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2023.
However, we selected a sample of 3 beneficiaries that were transferred to CHIP and noted that 1 of 3 beneficiaries was not eligible for CHIP but was in fact Medicaid eligible and, therefore, should not have been transferred.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, one case was transferred in error.
Effect
MDHHS inappropriately transferred $133 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Also, of the $33.4 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $33.4 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 11% of total CHIP expenditures.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $89 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $89 is questioned in Finding 2023-013.
• $45 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-015
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates that interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2023-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure that disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware that new disclosures are required. In addition, MDHHS relies on the entities to inform them when ownership changes occur. Also, limited staff resources resulted in the MI Choice entitiesʹ network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2023-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $103,627 of the federal share of overpayments.
b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the second quarter of fiscal year 2023.
c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording 2 (8%) of 25 sampled Medicaid overpayments on the incorrect CMS-64 line.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
MDHHS informed us system issues contributed to the untimely and inaccurate reporting of overpayments.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report.
Management Views
MDHHS agrees with the finding.
FINDING 2023-018
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 7 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not incorporate the necessary adjustments to the MLR report template for all managed care entities to report their comparison of the amounts reported in the MLR calculation with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2023-019
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit was completed and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2023.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, because of the audit activity time frames outlined within the scope of the contract, not all audit activities were completed during fiscal year 2023.
Effect
Failure to ensure the accuracy of data could affect the capitation rates that are developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2023-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $1,058 for 8 (27%) of 30 payments sampled from a $1,620,411 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs exceed $25,000.
• $945 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $113 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2023-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $183, for 3 (20%) of 15 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 135, effective through January 31, 2023, prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 140, effective February 1, 2023, prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Sections 135 and 140 allow payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $183 from October 1, 2022 through September 30, 2023 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $128 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $55 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2023-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $328,942 for 5,003 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. The overall solution is more complex than originally estimated and completing public health emergency unwind-related priorities took precedence, causing further delay in implementation.
Effect
MDHHS made improper FFS practitioner payments of $328,942 from October 1, 2022 through September 30, 2023. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $236,969 - federal share of improper payments made to providers from October 1, 2022 through September 30, 2023.
• $91,973 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2023-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer the Medicaid Cluster. We reviewed 5 significant systems and noted:
a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2023, such as annual review and testing of the plan.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 2 systems during fiscal year 2023, including not updating the risk assessment which resulted in the expiration of the authority to operate (ATO) for both systems.
Criteria
Federal regulation 45 CFR 95.621 makes state agencies responsible for security of information systems used to administer federal programs. In part, the regulation requires state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer the Medicaid Cluster.
Management Views
MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with part b. of the finding.
For part b., although MDHHS agrees that system security plans were not updated timely for the systems cited and the authority to operate expired for both systems, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above.
MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate. The ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate effectiveness of controls.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The other system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the two systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-005
CHAMPS General Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is a medical assistance claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems* contained potentially vulnerable database configurations.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
Cause
DTMB informed us that competing priorities and the need for additional time to review the impact of implementing the tailored configurations, due to the change management process, delayed the implementation of tailored configuration recommendations.
Effect
Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database.
Management Views
Although MDHHS and DTMB delayed the implementation of SOM tailored configurations, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data.
DTMB has implemented and continues to implement the manufacturer's recommendations regarding security configurations and performs regular database and operating system patching. Additionally, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards.
Auditor's Comments to Management Views
We determined, and DTMB and MDHHS acknowledged, they did not fully implement the tailored configurations; therefore, the potential vulnerabilities and security risk still exist.
The finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Background
In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP.
Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. These continuous enrollment conditions ended March 31, 2023 with the passage of the Consolidated Appropriations Act of 2023, and states were required to initiate all redeterminations within a 12-month unwinding period. MDHHS began initiating redeterminations in June 2023. We sampled beneficiaries for each program who either had a benefit period which started during fiscal year 2023 or who had a benefit period which started prior to fiscal year 2023 and had a redetermination during the months of June through September 2023.
We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table.
For an estimated 22,428 Medicaid and 8,520 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested.
The results of the testing for the remaining 59 Medicaid and 56 CHIP beneficiaries we were able to review are summarized in the finding below.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 5 (8%) of 59 Medicaid and 12 (21%) of 56 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 59 Medicaid and 1 (2%) of 56 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 2 (3%) of 59 Medicaid and 4 (7%) of 56 CHIP cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulations 42 CFR 435.912(c) and 42 CFR 457.340(d) require MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
Cause
For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions.
For part b., MDHHS indicated the missing documentation resulted from staff oversight.
For part c., MDHHS indicated limited staff resources and a significantly higher number of renewals due to the Public Health Emergency affected its ability to determine beneficiary eligibility within the required time frame.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 10% Medicaid and 29% CHIP unduplicated error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $2,211 - federal share.
• $762 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $33.4 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2023.
However, we selected a sample of 3 beneficiaries that were transferred to CHIP and noted that 1 of 3 beneficiaries was not eligible for CHIP but was in fact Medicaid eligible and, therefore, should not have been transferred.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, one case was transferred in error.
Effect
MDHHS inappropriately transferred $133 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Also, of the $33.4 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $33.4 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 11% of total CHIP expenditures.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $89 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $89 is questioned in Finding 2023-013.
• $45 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-015
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates that interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2023-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure that disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware that new disclosures are required. In addition, MDHHS relies on the entities to inform them when ownership changes occur. Also, limited staff resources resulted in the MI Choice entitiesʹ network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2023-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $103,627 of the federal share of overpayments.
b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the second quarter of fiscal year 2023.
c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording 2 (8%) of 25 sampled Medicaid overpayments on the incorrect CMS-64 line.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
MDHHS informed us system issues contributed to the untimely and inaccurate reporting of overpayments.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report.
Management Views
MDHHS agrees with the finding.
FINDING 2023-018
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 7 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not incorporate the necessary adjustments to the MLR report template for all managed care entities to report their comparison of the amounts reported in the MLR calculation with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2023-019
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit was completed and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2023.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, because of the audit activity time frames outlined within the scope of the contract, not all audit activities were completed during fiscal year 2023.
Effect
Failure to ensure the accuracy of data could affect the capitation rates that are developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2023-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $1,058 for 8 (27%) of 30 payments sampled from a $1,620,411 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs exceed $25,000.
• $945 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $113 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2023-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $183, for 3 (20%) of 15 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 135, effective through January 31, 2023, prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 140, effective February 1, 2023, prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Sections 135 and 140 allow payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $183 from October 1, 2022 through September 30, 2023 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $128 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $55 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2023-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $328,942 for 5,003 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. The overall solution is more complex than originally estimated and completing public health emergency unwind-related priorities took precedence, causing further delay in implementation.
Effect
MDHHS made improper FFS practitioner payments of $328,942 from October 1, 2022 through September 30, 2023. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $236,969 - federal share of improper payments made to providers from October 1, 2022 through September 30, 2023.
• $91,973 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2023-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer the Medicaid Cluster. We reviewed 5 significant systems and noted:
a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2023, such as annual review and testing of the plan.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 2 systems during fiscal year 2023, including not updating the risk assessment which resulted in the expiration of the authority to operate (ATO) for both systems.
Criteria
Federal regulation 45 CFR 95.621 makes state agencies responsible for security of information systems used to administer federal programs. In part, the regulation requires state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer the Medicaid Cluster.
Management Views
MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with part b. of the finding.
For part b., although MDHHS agrees that system security plans were not updated timely for the systems cited and the authority to operate expired for both systems, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above.
MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate. The ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate effectiveness of controls.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The other system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the two systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-005
CHAMPS General Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is a medical assistance claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems* contained potentially vulnerable database configurations.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
Cause
DTMB informed us that competing priorities and the need for additional time to review the impact of implementing the tailored configurations, due to the change management process, delayed the implementation of tailored configuration recommendations.
Effect
Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database.
Management Views
Although MDHHS and DTMB delayed the implementation of SOM tailored configurations, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data.
DTMB has implemented and continues to implement the manufacturer's recommendations regarding security configurations and performs regular database and operating system patching. Additionally, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards.
Auditor's Comments to Management Views
We determined, and DTMB and MDHHS acknowledged, they did not fully implement the tailored configurations; therefore, the potential vulnerabilities and security risk still exist.
The finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Background
In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP.
Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. These continuous enrollment conditions ended March 31, 2023 with the passage of the Consolidated Appropriations Act of 2023, and states were required to initiate all redeterminations within a 12-month unwinding period. MDHHS began initiating redeterminations in June 2023. We sampled beneficiaries for each program who either had a benefit period which started during fiscal year 2023 or who had a benefit period which started prior to fiscal year 2023 and had a redetermination during the months of June through September 2023.
We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table.
For an estimated 22,428 Medicaid and 8,520 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested.
The results of the testing for the remaining 59 Medicaid and 56 CHIP beneficiaries we were able to review are summarized in the finding below.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 5 (8%) of 59 Medicaid and 12 (21%) of 56 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 59 Medicaid and 1 (2%) of 56 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 2 (3%) of 59 Medicaid and 4 (7%) of 56 CHIP cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulations 42 CFR 435.912(c) and 42 CFR 457.340(d) require MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
Cause
For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions.
For part b., MDHHS indicated the missing documentation resulted from staff oversight.
For part c., MDHHS indicated limited staff resources and a significantly higher number of renewals due to the Public Health Emergency affected its ability to determine beneficiary eligibility within the required time frame.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 10% Medicaid and 29% CHIP unduplicated error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $2,211 - federal share.
• $762 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $33.4 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2023.
However, we selected a sample of 3 beneficiaries that were transferred to CHIP and noted that 1 of 3 beneficiaries was not eligible for CHIP but was in fact Medicaid eligible and, therefore, should not have been transferred.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, one case was transferred in error.
Effect
MDHHS inappropriately transferred $133 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Also, of the $33.4 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $33.4 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 11% of total CHIP expenditures.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $89 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $89 is questioned in Finding 2023-013.
• $45 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-015
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates that interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2023-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure that disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware that new disclosures are required. In addition, MDHHS relies on the entities to inform them when ownership changes occur. Also, limited staff resources resulted in the MI Choice entitiesʹ network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2023-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $103,627 of the federal share of overpayments.
b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the second quarter of fiscal year 2023.
c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording 2 (8%) of 25 sampled Medicaid overpayments on the incorrect CMS-64 line.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
MDHHS informed us system issues contributed to the untimely and inaccurate reporting of overpayments.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report.
Management Views
MDHHS agrees with the finding.
FINDING 2023-018
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 7 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not incorporate the necessary adjustments to the MLR report template for all managed care entities to report their comparison of the amounts reported in the MLR calculation with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2023-019
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit was completed and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2023.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, because of the audit activity time frames outlined within the scope of the contract, not all audit activities were completed during fiscal year 2023.
Effect
Failure to ensure the accuracy of data could affect the capitation rates that are developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2023-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $1,058 for 8 (27%) of 30 payments sampled from a $1,620,411 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs exceed $25,000.
• $945 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $113 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2023-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $183, for 3 (20%) of 15 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 135, effective through January 31, 2023, prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 140, effective February 1, 2023, prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Sections 135 and 140 allow payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $183 from October 1, 2022 through September 30, 2023 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $128 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $55 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2023-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $328,942 for 5,003 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. The overall solution is more complex than originally estimated and completing public health emergency unwind-related priorities took precedence, causing further delay in implementation.
Effect
MDHHS made improper FFS practitioner payments of $328,942 from October 1, 2022 through September 30, 2023. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $236,969 - federal share of improper payments made to providers from October 1, 2022 through September 30, 2023.
• $91,973 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2023-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer the Medicaid Cluster. We reviewed 5 significant systems and noted:
a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2023, such as annual review and testing of the plan.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 2 systems during fiscal year 2023, including not updating the risk assessment which resulted in the expiration of the authority to operate (ATO) for both systems.
Criteria
Federal regulation 45 CFR 95.621 makes state agencies responsible for security of information systems used to administer federal programs. In part, the regulation requires state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer the Medicaid Cluster.
Management Views
MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with part b. of the finding.
For part b., although MDHHS agrees that system security plans were not updated timely for the systems cited and the authority to operate expired for both systems, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above.
MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate. The ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate effectiveness of controls.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The other system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the two systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-005
CHAMPS General Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is a medical assistance claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems* contained potentially vulnerable database configurations.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
Cause
DTMB informed us that competing priorities and the need for additional time to review the impact of implementing the tailored configurations, due to the change management process, delayed the implementation of tailored configuration recommendations.
Effect
Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database.
Management Views
Although MDHHS and DTMB delayed the implementation of SOM tailored configurations, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data.
DTMB has implemented and continues to implement the manufacturer's recommendations regarding security configurations and performs regular database and operating system patching. Additionally, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards.
Auditor's Comments to Management Views
We determined, and DTMB and MDHHS acknowledged, they did not fully implement the tailored configurations; therefore, the potential vulnerabilities and security risk still exist.
The finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Background
In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP.
Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. These continuous enrollment conditions ended March 31, 2023 with the passage of the Consolidated Appropriations Act of 2023, and states were required to initiate all redeterminations within a 12-month unwinding period. MDHHS began initiating redeterminations in June 2023. We sampled beneficiaries for each program who either had a benefit period which started during fiscal year 2023 or who had a benefit period which started prior to fiscal year 2023 and had a redetermination during the months of June through September 2023.
We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table.
For an estimated 22,428 Medicaid and 8,520 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested.
The results of the testing for the remaining 59 Medicaid and 56 CHIP beneficiaries we were able to review are summarized in the finding below.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 5 (8%) of 59 Medicaid and 12 (21%) of 56 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 59 Medicaid and 1 (2%) of 56 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 2 (3%) of 59 Medicaid and 4 (7%) of 56 CHIP cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulations 42 CFR 435.912(c) and 42 CFR 457.340(d) require MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
Cause
For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions.
For part b., MDHHS indicated the missing documentation resulted from staff oversight.
For part c., MDHHS indicated limited staff resources and a significantly higher number of renewals due to the Public Health Emergency affected its ability to determine beneficiary eligibility within the required time frame.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 10% Medicaid and 29% CHIP unduplicated error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $2,211 - federal share.
• $762 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $33.4 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2023.
However, we selected a sample of 3 beneficiaries that were transferred to CHIP and noted that 1 of 3 beneficiaries was not eligible for CHIP but was in fact Medicaid eligible and, therefore, should not have been transferred.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, one case was transferred in error.
Effect
MDHHS inappropriately transferred $133 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Also, of the $33.4 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $33.4 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 11% of total CHIP expenditures.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $89 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $89 is questioned in Finding 2023-013.
• $45 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-015
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates that interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2023-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure that disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware that new disclosures are required. In addition, MDHHS relies on the entities to inform them when ownership changes occur. Also, limited staff resources resulted in the MI Choice entitiesʹ network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2023-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $103,627 of the federal share of overpayments.
b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the second quarter of fiscal year 2023.
c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording 2 (8%) of 25 sampled Medicaid overpayments on the incorrect CMS-64 line.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
MDHHS informed us system issues contributed to the untimely and inaccurate reporting of overpayments.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report.
Management Views
MDHHS agrees with the finding.
FINDING 2023-018
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 7 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not incorporate the necessary adjustments to the MLR report template for all managed care entities to report their comparison of the amounts reported in the MLR calculation with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2023-019
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit was completed and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2023.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, because of the audit activity time frames outlined within the scope of the contract, not all audit activities were completed during fiscal year 2023.
Effect
Failure to ensure the accuracy of data could affect the capitation rates that are developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2023-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $1,058 for 8 (27%) of 30 payments sampled from a $1,620,411 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs exceed $25,000.
• $945 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $113 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2023-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $183, for 3 (20%) of 15 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 135, effective through January 31, 2023, prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 140, effective February 1, 2023, prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Sections 135 and 140 allow payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $183 from October 1, 2022 through September 30, 2023 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $128 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $55 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2023-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $328,942 for 5,003 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. The overall solution is more complex than originally estimated and completing public health emergency unwind-related priorities took precedence, causing further delay in implementation.
Effect
MDHHS made improper FFS practitioner payments of $328,942 from October 1, 2022 through September 30, 2023. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $236,969 - federal share of improper payments made to providers from October 1, 2022 through September 30, 2023.
• $91,973 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2023-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer the Medicaid Cluster. We reviewed 5 significant systems and noted:
a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2023, such as annual review and testing of the plan.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 2 systems during fiscal year 2023, including not updating the risk assessment which resulted in the expiration of the authority to operate (ATO) for both systems.
Criteria
Federal regulation 45 CFR 95.621 makes state agencies responsible for security of information systems used to administer federal programs. In part, the regulation requires state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer the Medicaid Cluster.
Management Views
MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with part b. of the finding.
For part b., although MDHHS agrees that system security plans were not updated timely for the systems cited and the authority to operate expired for both systems, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above.
MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate. The ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate effectiveness of controls.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The other system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the two systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-005
CHAMPS General Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is a medical assistance claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems* contained potentially vulnerable database configurations.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
Cause
DTMB informed us that competing priorities and the need for additional time to review the impact of implementing the tailored configurations, due to the change management process, delayed the implementation of tailored configuration recommendations.
Effect
Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database.
Management Views
Although MDHHS and DTMB delayed the implementation of SOM tailored configurations, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data.
DTMB has implemented and continues to implement the manufacturer's recommendations regarding security configurations and performs regular database and operating system patching. Additionally, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards.
Auditor's Comments to Management Views
We determined, and DTMB and MDHHS acknowledged, they did not fully implement the tailored configurations; therefore, the potential vulnerabilities and security risk still exist.
The finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Background
In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP.
Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. These continuous enrollment conditions ended March 31, 2023 with the passage of the Consolidated Appropriations Act of 2023, and states were required to initiate all redeterminations within a 12-month unwinding period. MDHHS began initiating redeterminations in June 2023. We sampled beneficiaries for each program who either had a benefit period which started during fiscal year 2023 or who had a benefit period which started prior to fiscal year 2023 and had a redetermination during the months of June through September 2023.
We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table.
For an estimated 22,428 Medicaid and 8,520 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested.
The results of the testing for the remaining 59 Medicaid and 56 CHIP beneficiaries we were able to review are summarized in the finding below.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 5 (8%) of 59 Medicaid and 12 (21%) of 56 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 59 Medicaid and 1 (2%) of 56 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 2 (3%) of 59 Medicaid and 4 (7%) of 56 CHIP cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulations 42 CFR 435.912(c) and 42 CFR 457.340(d) require MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
Cause
For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions.
For part b., MDHHS indicated the missing documentation resulted from staff oversight.
For part c., MDHHS indicated limited staff resources and a significantly higher number of renewals due to the Public Health Emergency affected its ability to determine beneficiary eligibility within the required time frame.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 10% Medicaid and 29% CHIP unduplicated error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $2,211 - federal share.
• $762 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $33.4 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2023.
However, we selected a sample of 3 beneficiaries that were transferred to CHIP and noted that 1 of 3 beneficiaries was not eligible for CHIP but was in fact Medicaid eligible and, therefore, should not have been transferred.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, one case was transferred in error.
Effect
MDHHS inappropriately transferred $133 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Also, of the $33.4 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $33.4 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 11% of total CHIP expenditures.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $89 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $89 is questioned in Finding 2023-013.
• $45 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-015
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates that interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2023-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure that disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware that new disclosures are required. In addition, MDHHS relies on the entities to inform them when ownership changes occur. Also, limited staff resources resulted in the MI Choice entitiesʹ network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2023-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $103,627 of the federal share of overpayments.
b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the second quarter of fiscal year 2023.
c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording 2 (8%) of 25 sampled Medicaid overpayments on the incorrect CMS-64 line.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
MDHHS informed us system issues contributed to the untimely and inaccurate reporting of overpayments.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report.
Management Views
MDHHS agrees with the finding.
FINDING 2023-018
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 7 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not incorporate the necessary adjustments to the MLR report template for all managed care entities to report their comparison of the amounts reported in the MLR calculation with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2023-019
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit was completed and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2023.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, because of the audit activity time frames outlined within the scope of the contract, not all audit activities were completed during fiscal year 2023.
Effect
Failure to ensure the accuracy of data could affect the capitation rates that are developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2023-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $1,058 for 8 (27%) of 30 payments sampled from a $1,620,411 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs exceed $25,000.
• $945 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $113 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2023-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $183, for 3 (20%) of 15 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 135, effective through January 31, 2023, prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 140, effective February 1, 2023, prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Sections 135 and 140 allow payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $183 from October 1, 2022 through September 30, 2023 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $128 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $55 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2023-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $328,942 for 5,003 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. The overall solution is more complex than originally estimated and completing public health emergency unwind-related priorities took precedence, causing further delay in implementation.
Effect
MDHHS made improper FFS practitioner payments of $328,942 from October 1, 2022 through September 30, 2023. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $236,969 - federal share of improper payments made to providers from October 1, 2022 through September 30, 2023.
• $91,973 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2023-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer the Medicaid Cluster. We reviewed 5 significant systems and noted:
a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2023, such as annual review and testing of the plan.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 2 systems during fiscal year 2023, including not updating the risk assessment which resulted in the expiration of the authority to operate (ATO) for both systems.
Criteria
Federal regulation 45 CFR 95.621 makes state agencies responsible for security of information systems used to administer federal programs. In part, the regulation requires state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer the Medicaid Cluster.
Management Views
MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with part b. of the finding.
For part b., although MDHHS agrees that system security plans were not updated timely for the systems cited and the authority to operate expired for both systems, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above.
MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate. The ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate effectiveness of controls.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The other system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the two systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-042
Public Health Emergency Preparedness, ALN 93.069, Subrecipient Monitoring - Risk Assessment and During-the-Award Monitoring
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not sufficiently monitor and evaluate the risk of noncompliance with program requirements. We noted:
a. MDHHS did not utilize the risk assessment results to determine the type of monitoring appropriate for all 57 subrecipients.
b. MDHHS did not obtain all required semiannual progress reports for 2 (15%) of 13 sampled subrecipients.
Criteria
Federal regulation 45 CFR 75.352(d) requires MDHHS to monitor the activities of the subrecipient as necessary to ensure the subaward is used for authorized purposes in compliance with federal statutes, regulations, and terms and conditions of the subaward and that subaward performance goals are achieved.
As part of its risk assessment procedures, MDHHS conducts an assessment of all subrecipients to determine the monitoring activities, which may include on-site or desk reviews. In addition, MDHHS monitors the performance of subrecipients through semiannual progress reports.
Cause
MDHHS informed us limited resources and competing priorities contributed to its inability to sufficiently monitor and evaluate subrecipients.
Effect
Insufficient monitoring and evaluation of subrecipients could increase the subrecipients' and MDHHS's noncompliance with federal statutes, regulations, or the terms and conditions of federal awards. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS sufficiently monitor and evaluate the risk of noncompliance with program requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-043
Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - MCIR User Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully establish effective user access controls over the Michigan Care Improvement Registry (MCIR). MCIR serves as the central registry for immunization records in the State, as well as the vaccine inventory management system for providers enrolled in the Vaccines for Children program. We noted MDHHS did not disable 21 (13%) of 158 active MCIR user accounts that had not accessed the application in over 60 days as of September 30, 2023.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires the information system to automatically disable inactive user accounts after 60 days.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MCIR. As a result, an increased risk exists that MDHHS cannot ensure the security of MCIR.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully establish effective user access controls over MCIR.
Management Views
MDHHS agrees with the finding.
FINDING 2023-044
Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - Control, Accountability, and Safeguarding of Vaccine and Record of Immunization
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure compliance site visits for providers enrolled in the Vaccines for Children (VFC) program were conducted in accordance with federal guidelines. We noted:
a. MDHHS did not timely conduct a compliance site visit at least once every 24 months for 24 (60%) of 40 sampled providers. For the 24 providers, the compliance visits were late between 1.7 months and 4.0 years, averaging 1.7 years.
b. MDHHS did not conduct a compliance site visit at least once every 24 months for 1 (3%) of 40 sampled providers. The compliance visit was not complete as of September 30, 2023 and was overdue by 2.0 years.
Criteria
Federal law 42 USC 1396s requires vaccines to be adequately safeguarded and used solely for authorized purposes. The HHS's Centers for Disease Control and Prevention's (CDC's) Vaccines for Children July 2022 and July 2023 Operations Guides state that awardees must conduct and record VFC compliance site visits, covering areas of provider details, eligibility, documentation, storage and handling, and inventory management with each VFC provider every 24 months.
Cause
MDHHS informed us during the COVID-19 pandemic it conducted limited provider site visits, which created a backlog of site visits to complete during fiscal year 2023. Also, MDHHS informed us staff turnover and vacancies at the local health departments contributed to the delay in the site visits.
Effect
MDHHS could not ensure VFC providers adequately safeguarded and used vaccines solely for authorized purposes. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure required compliance site visits for providers enrolled in the VFC program are conducted.
Management Views
MDHHS disagrees with the finding. Site visits did not resume for all VFC providers until the July 1, 2022 through June 30, 2023 review cycle because the CDC allowed jurisdictions to temporarily suspend these visits during the COVID-19 pandemic that ended during May 2023. MDHHS previously reached out to the CDC for clarification on conducting site visits and was informed that site visit activities could be suspended based on COVID-19 activity in MDHHS's jurisdiction and capacity within MDHHS's organization. The site visits identified in the finding were included in the backlog of suspended site visits that MDHHS continued to work through during the audit period.
Auditor's Comments to Management Views
Although the CDC communicated a temporary suspension was permissible, the CDC compliance site visit requirement did not change. Also, the special tests and provisions compliance requirements for Control, Accountability, and Safeguarding of Vaccine and Record of Immunization were subject to audit according to the OMB Compliance Supplement. As the federal grantor agency, the CDC has discretion as to whether penalties will be assessed for noncompliance. However, neither this nor MDHHS's capacity to rectify the backlog and complete the required site visits alleviates our responsibility to report noncompliance under the Uniform Guidance.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-043
Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - MCIR User Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully establish effective user access controls over the Michigan Care Improvement Registry (MCIR). MCIR serves as the central registry for immunization records in the State, as well as the vaccine inventory management system for providers enrolled in the Vaccines for Children program. We noted MDHHS did not disable 21 (13%) of 158 active MCIR user accounts that had not accessed the application in over 60 days as of September 30, 2023.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires the information system to automatically disable inactive user accounts after 60 days.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MCIR. As a result, an increased risk exists that MDHHS cannot ensure the security of MCIR.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully establish effective user access controls over MCIR.
Management Views
MDHHS agrees with the finding.
FINDING 2023-044
Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - Control, Accountability, and Safeguarding of Vaccine and Record of Immunization
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure compliance site visits for providers enrolled in the Vaccines for Children (VFC) program were conducted in accordance with federal guidelines. We noted:
a. MDHHS did not timely conduct a compliance site visit at least once every 24 months for 24 (60%) of 40 sampled providers. For the 24 providers, the compliance visits were late between 1.7 months and 4.0 years, averaging 1.7 years.
b. MDHHS did not conduct a compliance site visit at least once every 24 months for 1 (3%) of 40 sampled providers. The compliance visit was not complete as of September 30, 2023 and was overdue by 2.0 years.
Criteria
Federal law 42 USC 1396s requires vaccines to be adequately safeguarded and used solely for authorized purposes. The HHS's Centers for Disease Control and Prevention's (CDC's) Vaccines for Children July 2022 and July 2023 Operations Guides state that awardees must conduct and record VFC compliance site visits, covering areas of provider details, eligibility, documentation, storage and handling, and inventory management with each VFC provider every 24 months.
Cause
MDHHS informed us during the COVID-19 pandemic it conducted limited provider site visits, which created a backlog of site visits to complete during fiscal year 2023. Also, MDHHS informed us staff turnover and vacancies at the local health departments contributed to the delay in the site visits.
Effect
MDHHS could not ensure VFC providers adequately safeguarded and used vaccines solely for authorized purposes. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure required compliance site visits for providers enrolled in the VFC program are conducted.
Management Views
MDHHS disagrees with the finding. Site visits did not resume for all VFC providers until the July 1, 2022 through June 30, 2023 review cycle because the CDC allowed jurisdictions to temporarily suspend these visits during the COVID-19 pandemic that ended during May 2023. MDHHS previously reached out to the CDC for clarification on conducting site visits and was informed that site visit activities could be suspended based on COVID-19 activity in MDHHS's jurisdiction and capacity within MDHHS's organization. The site visits identified in the finding were included in the backlog of suspended site visits that MDHHS continued to work through during the audit period.
Auditor's Comments to Management Views
Although the CDC communicated a temporary suspension was permissible, the CDC compliance site visit requirement did not change. Also, the special tests and provisions compliance requirements for Control, Accountability, and Safeguarding of Vaccine and Record of Immunization were subject to audit according to the OMB Compliance Supplement. As the federal grantor agency, the CDC has discretion as to whether penalties will be assessed for noncompliance. However, neither this nor MDHHS's capacity to rectify the backlog and complete the required site visits alleviates our responsibility to report noncompliance under the Uniform Guidance.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-043
Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - MCIR User Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully establish effective user access controls over the Michigan Care Improvement Registry (MCIR). MCIR serves as the central registry for immunization records in the State, as well as the vaccine inventory management system for providers enrolled in the Vaccines for Children program. We noted MDHHS did not disable 21 (13%) of 158 active MCIR user accounts that had not accessed the application in over 60 days as of September 30, 2023.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires the information system to automatically disable inactive user accounts after 60 days.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MCIR. As a result, an increased risk exists that MDHHS cannot ensure the security of MCIR.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully establish effective user access controls over MCIR.
Management Views
MDHHS agrees with the finding.
FINDING 2023-044
Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - Control, Accountability, and Safeguarding of Vaccine and Record of Immunization
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure compliance site visits for providers enrolled in the Vaccines for Children (VFC) program were conducted in accordance with federal guidelines. We noted:
a. MDHHS did not timely conduct a compliance site visit at least once every 24 months for 24 (60%) of 40 sampled providers. For the 24 providers, the compliance visits were late between 1.7 months and 4.0 years, averaging 1.7 years.
b. MDHHS did not conduct a compliance site visit at least once every 24 months for 1 (3%) of 40 sampled providers. The compliance visit was not complete as of September 30, 2023 and was overdue by 2.0 years.
Criteria
Federal law 42 USC 1396s requires vaccines to be adequately safeguarded and used solely for authorized purposes. The HHS's Centers for Disease Control and Prevention's (CDC's) Vaccines for Children July 2022 and July 2023 Operations Guides state that awardees must conduct and record VFC compliance site visits, covering areas of provider details, eligibility, documentation, storage and handling, and inventory management with each VFC provider every 24 months.
Cause
MDHHS informed us during the COVID-19 pandemic it conducted limited provider site visits, which created a backlog of site visits to complete during fiscal year 2023. Also, MDHHS informed us staff turnover and vacancies at the local health departments contributed to the delay in the site visits.
Effect
MDHHS could not ensure VFC providers adequately safeguarded and used vaccines solely for authorized purposes. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure required compliance site visits for providers enrolled in the VFC program are conducted.
Management Views
MDHHS disagrees with the finding. Site visits did not resume for all VFC providers until the July 1, 2022 through June 30, 2023 review cycle because the CDC allowed jurisdictions to temporarily suspend these visits during the COVID-19 pandemic that ended during May 2023. MDHHS previously reached out to the CDC for clarification on conducting site visits and was informed that site visit activities could be suspended based on COVID-19 activity in MDHHS's jurisdiction and capacity within MDHHS's organization. The site visits identified in the finding were included in the backlog of suspended site visits that MDHHS continued to work through during the audit period.
Auditor's Comments to Management Views
Although the CDC communicated a temporary suspension was permissible, the CDC compliance site visit requirement did not change. Also, the special tests and provisions compliance requirements for Control, Accountability, and Safeguarding of Vaccine and Record of Immunization were subject to audit according to the OMB Compliance Supplement. As the federal grantor agency, the CDC has discretion as to whether penalties will be assessed for noncompliance. However, neither this nor MDHHS's capacity to rectify the backlog and complete the required site visits alleviates our responsibility to report noncompliance under the Uniform Guidance.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-045
Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - MiSACWIS Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS).
We noted:
a. MDHHS did not properly approve 2 (4%) of the 50 sampled MiSACWIS application security agreements prior to granting access to MiSACWIS.
b. MDHHS did not maintain documentation for 4 (10%) of 40 sampled MiSACWIS incompatible role exception requests.
c. MDHHS did not document or properly review its annual recertification of 2 (5%) of 40 sampled MiSACWIS non-privileged user accounts.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements annually for all non-privileged accounts. In addition, GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist.
Cause
For parts a. and b., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access.
For part c., MDHHS informed us the users' roles were not always recertified due to staff oversight.
Effect
Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists that MDHHS cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over MiSACWIS.
Management Views
MDHHS agrees with the finding.
FINDING 2023-046
Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Subrecipient Monitoring - MARS User Access
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Labor and Economic Opportunity (LEO) did not fully establish effective user access controls over the Management of Awards to Recipients System (MARS). Michigan Works! Agencies used MARS to request reimbursement, report expenditures, and view financial data related to employment, education, and training services provided to clients. We noted LEO did not disable 34 (24%) of 140 active MARS user accounts that had not accessed the application in over 60 days as of September 30, 2023.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires the information system to automatically disable inactive user accounts after 60 days.
Cause
LEO informed us that because of staffing limitations, some processes could not be followed or established.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MARS. As a result, an increased risk exists that LEO cannot ensure the security of the MARS application and data used to issue payments to subrecipients of federal awards.
Known Questioned Costs
None.
Recommendation
We recommend LEO fully establish effective user access controls over MARS.
Management Views
LEO agrees with the finding.
FINDING 2023-047
Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Non-Financial Eligibility Documentation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain or maintain sufficient non-financial case record documentation to support client eligibility for 3 (14%) of 21 sampled TANF-funded assistance payments.
MDHHS did not obtain or maintain documentation such as support for timely completion of the Family Automated Screening Tool, Family Self-Sufficiency Plan, and records to support children older than 6 were attending school full time in order to demonstrate the 3 families were in need of TANF assistance.
Criteria
Federal regulation 45 CFR 260.20 requires a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR 205.60(a) requires MDHHS to maintain records to support eligibility, including facts to support the client's need for assistance. MDHHS's TANF State Plan requires MDHHS and the client complete the Family Self-Sufficiency Plan prior to the end of the first three months of assistance. MDHHS's policies and procedures require documentation used to verify eligibility be maintained in the case file.
In addition, Subpart E of federal regulation 45 CFR 75 requires costs charged to federal programs be adequately documented, be necessary and reasonable for the administration of the federal award, be in accordance with the relative benefits received by the program, and be consistent with policies and procedures that apply to both the federal award and other activities of the state.
Cause
MDHHS informed us its controls were not sufficient to ensure that all of the required verification documentation was appropriately maintained in the client's case record.
Effect
MDHHS may have made TANF-funded assistance payments to ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $97 - federal share.
Recommendation
We recommend MDHHS obtain and maintain sufficient non-financial case record documentation to support client eligibility for TANF-funded assistance payments.
Management Views
MDHHS agrees with the finding.
FINDING 2023-048
Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Inappropriate TANF-Funded Adoption Subsidy Rate
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate negotiated rate to calculate the payment to adoptive parents for 1 (6%) of 17 sampled TANF-funded adoption subsidy case records.
Criteria
Federal regulation 45 CFR 263.11(a)(1) states funds may be used in any manner reasonably calculated to achieve the purposes of TANF. Section 400.115i of the Michigan Compiled Laws requires adoptive parents to enter into agreements with the State that prescribe the payment amount.
Also, Subpart E of federal regulation 45 CFR 75 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award; conform to any limitations, exclusions, or conditions; be in accordance with the relative benefits received by the program; and be consistent with policies and procedures that apply to both the federal award and other activities of the state.
Cause
MDHHS informed us adoption assistance agreements received prior to January 21, 2014 were eligible for clothing allowance. MDHHS manually created negotiated rate offsets in MiSACWIS until the system was updated on June 18, 2015 to not include the clothing allowance in future calculated rates. The month the child turns 13, the clothing allowance rates are increased. The under 13 clothing allowance rate was not manually removed by MDHHS for the month the child turned 13, causing MiSACWIS to calculate and pay a rate to the adoptive parent for the month the child turned 13 only, which was greater than the negotiated rate.
Effect
MDHHS made payments to adoptive parents not consistent with the agreed upon negotiated rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS use the appropriate negotiated rate to calculate the TANF-funded adoption subsidy payments to adoptive parents.
Management Views
MDHHS disagrees with the finding. Although the appropriate negotiated rate was not used to calculate the initial payment, MDHHS disagrees that a deficiency exists.
MDHHS ensures that the appropriate negotiated rate is used during an annual review process that occurs each year and is based on the child's birth month. The annual report process includes a thorough payment history review for each adoption assistance case to ensure payments are issued accurately. This involves verifying cases are paid at the correct rate and identifying any overpayments that occurred for adoption assistance agreements that were entered into between January 21, 2014 through June 18, 2015, prior to the MiSACWIS system update to automate the clothing allowance offset. The overpayment noted in the finding was identified by the auditor during the month prior to MDHHS's annual review process, which was scheduled for April 2024, and the negotiated rate for the month the child turned 13 was manually corrected and recouped by MDHHS in March 2024. MDHHS believes this is a timing issue and disagrees that a deficiency exists.
Auditor's Comments to Management Views
Regardless of the timing of MDHHS's annual review process, Subpart E of federal regulation 45 CFR 75 requires MDHHS costs charged to the federal program be necessary and reasonable. In addition, federal regulation 45 CFR 75.2 defines an "improper payment" as any payment that should not have been made or made in an incorrect amount under statutory, contractual, administrative, or other legally applicable requirements. MDHHS did not manually correct the negotiated rate for the month the child turned 13. Once the auditor informed MDHHS of the error, MDHHS recouped the overpayment in March 2024.
Therefore, this finding stands as written.
FINDING 2023-049
Temporary Assistance for Needy Families, ALN 93.558, Subrecipient Monitoring - Risk Assessment and During-the-Award Monitoring
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not sufficiently monitor and evaluate the risk of noncompliance with program requirements. We noted:
a. MDHHS did not utilize the risk assessment results to determine the type of monitoring appropriate for 1 of 4 sampled subrecipients.
b. MDHHS did not document its monitoring activities and any potential follow-up actions related to deficiencies noted during the review for 1 of 3 sampled subrecipients.
Criteria
Federal regulation 45 CFR 75.352(d) requires MDHHS to monitor the activities of the subrecipient as necessary to ensure the subaward is used for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved.
Cause
MDHHS believed its current process to monitor and evaluate subrecipients was sufficient to comply with program requirements. However, the documentation provided did not substantiate the procedures completed.
Effect
Insufficient monitoring of subrecipients could increase the subrecipients' and MDHHS's noncompliance with federal statutes, regulations, or the terms and conditions of federal awards. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS sufficiently monitor and evaluate the risk of noncompliance with program requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2023-050
Temporary Assistance for Needy Families, ALN 93.558, Special Tests and Provisions - Child Support Non-Cooperation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not appropriately and timely sanction TANF families who did not cooperate with establishing paternity and child support orders in 5 (13%) of the 40 sampled case records. MDHHS uses an automated interface between the Michigan Child Support Enforcement System and Bridges to identify and sanction TANF families not cooperating with establishing paternity and child support orders.
We noted for all 5 cases, the automated interface identified that the TANF family was not cooperating, but the benefits did not stop and the clients' case records did not contain evidence the clients met good cause criteria for not cooperating.
Criteria
Federal regulation 45 CFR 264.30 states MDHHS must deduct an amount equal to not less than 25% from the TANF-funded assistance that would otherwise be provided to the family of the individual or may deny the family any TANF-funded assistance. MDHHS's TANF State Plan states failure to cooperate in establishing paternity and pursuing child support for dependent children will result in TANF client ineligibility for a one-month minimum.
Cause
MDHHS's internal control did not ensure county/district office caseworkers applied the appropriate one-month sanction period for the child support non-cooperation for one case. For the remaining 4 cases, MDHHS informed us the one-month sanction period for the child support non-cooperation was not applied because the case was in a non-ongoing mode, which requires certification of the case by all MDHHS programs because of a change in client circumstances.
Effect
MDHHS may have inappropriately paid TANF funds to individuals who were ineligible because of failure to comply with child support requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS appropriately and timely sanction TANF families who do not cooperate with establishing paternity and child support orders.
Management Views
MDHHS disagrees with 4 of 5 exceptions identified. The MDHHS Bridges technical team reviewed each cited case and determined that Bridges was functioning as intended for four cases identified because each case was in a non-ongoing mode at the time the automated interface occurred. A case is placed into this status if the client circumstances have changed for any MDHHS program within Bridges and the case requires a redetermination. TANF policy cannot mandate Bridges to change the non-ongoing mode because each impacted program is required to be certified prior to changing the status. MDHHS policy does not mandate a specific length of time that a case can be in a non-ongoing status. The results of the redetermination can impact the client's non-cooperation status and therefore the client should not be sanctioned until the certification by all programs is complete.
For two of the cases, the client was appropriately sanctioned after the case review was complete and for the other two cases, the client was determined to be in compliance once the case was removed from the non-going status mode.
Auditor's Comments to Management Views
MDHHS did not timely initiate sanctions against clients identified as not cooperating with establishing paternity and child support orders. Federal regulation 45 CFR 233.10 states when there is a change in circumstances, payment may not continue beyond one month after the change. For the 4 exceptions MDHHS disagrees, we noted MDHHS continued to make payments for up to 7 months after the date of non-cooperation.
Therefore, this finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-009
Treasury, Cash Management - Recertification of Clearance Patterns
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Treasury (Treasury) did not adequately review and recertify the accuracy of the clearance patterns contained in the agreement with the U.S. Department of the Treasury, referred to as the Treasury State Agreement (TSA). We noted Treasury did not reassess the accuracy of the Child Support Services and LIHEAP clearance patterns as specified in its fiscal year 2023 TSA, which were last reviewed and updated in its fiscal year 2015 TSA.
Criteria
Federal regulation 31 CFR 205.20 requires the clearance pattern to be based on at least three consecutive months of disbursement data to accurately represent the flow of federal funds and reflect seasonal or other periodic variations in clearance activity of the program to which it is applied. Also, federal regulation 31 CFR 205.22(b) states the State must recertify the accuracy of a clearance pattern every five years.
Cause
Treasury informed us the recertification of the program clearance patterns was not completed because of inadequate procedures.
Effect
Failure to ensure the accuracy of clearance patterns could cause the State to inappropriately calculate the date it should request reimbursement from the U.S. Department of the Treasury for federal assistance programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend that Treasury review and recertify the accuracy of the clearance patterns specified in the TSA.
Management Views
Treasury agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-005
CHAMPS General Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is a medical assistance claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems* contained potentially vulnerable database configurations.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
Cause
DTMB informed us that competing priorities and the need for additional time to review the impact of implementing the tailored configurations, due to the change management process, delayed the implementation of tailored configuration recommendations.
Effect
Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database.
Management Views
Although MDHHS and DTMB delayed the implementation of SOM tailored configurations, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data.
DTMB has implemented and continues to implement the manufacturer's recommendations regarding security configurations and performs regular database and operating system patching. Additionally, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards.
Auditor's Comments to Management Views
We determined, and DTMB and MDHHS acknowledged, they did not fully implement the tailored configurations; therefore, the potential vulnerabilities and security risk still exist.
The finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-015
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates that interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2023-051
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Period of Performance, and Subrecipient Monitoring - Salesforce Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not fully establish effective security management and access controls over the Salesforce users. Program subrecipients utilize Salesforce to submit performance data, contract budgets, and expenditure submissions related to refugee resettlement. Also, LEO program staff utilize Salesforce to manage subgrants and review and approve subrecipient contract budgets and payment requests. We noted LEO did not review user access semiannually for privileged accounts or annually for all other accounts.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts.
Cause
LEO informed us that because of staffing limitations, some processes could not be followed or established.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to Salesforce. As a result, an increased risk exists that LEO cannot ensure the security of the Salesforce application and data used to issue payments to subrecipients of federal awards.
Known Questioned Costs
None.
Recommendation
We recommend LEO fully establish effective security management and access controls over Salesforce users.
Management Views
LEO agrees with the finding.
FINDING 2023-052
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Assistance to Ineligible Refugees
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility. Our review disclosed:
a. MDHHS did not maintain sufficient documentation of its efforts to evaluate clientsʹ eligibility; examples of documentation include support for the verification of nationality, identification, U.S. entry date, and mandatory work for 7 (28%) of 25 sampled refugee cash or medical assistance payments.
b. MDHHS inappropriately charged medical service expenditures of $98,381 to the federal program for non-REAP clients.
Criteria
Federal regulations 45 CFR 400.53 and 45 CFR 400.75(a) require refugees to meet general eligibility requirements for refugee cash assistance, including requirements that eligible refugees meet immigration status and identification conditions; reside in the United States less than the eligibility period determined by HHS's Office of Refugee Resettlement; and cannot, without good cause, fail or refuse to meet the work registry requirements. Also, federal regulation 45 CFR 400.28 requires MDHHS provide for the maintenance of operational records as are necessary for federal monitoring of the State's REAP.
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
For part a., MDHHS's internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required verification documentation in clientsʹ case records to support eligibility.
For part b., MDHHS indicated program records properly accounted for client eligibility; however, because of staff oversight, the accounting records were not properly adjusted following the correction of a reporting defect.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have provided assistance to ineligible clients and because of the overall high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $99,995 - federal share.
Recommendations
We recommend LEO and MDHHS maintain documentation to support client eligibility was determined in accordance with eligibility requirements.
We also recommend LEO and MDHHS ensure they properly charge only REAP eligible client assistance to REAP.
Management Views
LEO and MDHHS agree with the finding.
FINDING 2023-053
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Cash Management - Timeliness of Cash Draws
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not ensure its reimbursement requests were prepared in accordance with the CMIA. We noted for 1 of the 2 sampled quarterly cash draws, LEO prepared the reimbursement request 151 days after the quarter ended.
Criteria
Subpart B of federal regulation 31 CFR 205 requires a state must minimize the time between the drawdown of federal funds from the federal government and its disbursement for federal program purposes. The timing and amount of funds transfers must be as close as is administratively feasible to a state's actual cash outlay for direct program costs and the proportionate share of any allowable indirect costs.
Cause
LEO informed us staffing limitations impacted its ability to timely submit reimbursement requests.
Effect
LEO limited its assurance that it complied with the CMIA and may have lost interest by drawing funds late. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend LEO ensure its reimbursement requests are prepared in accordance with the CMIA.
Management Views
LEO agrees with the finding.
FINDING 2023-054
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not report any REAP subaward information as required by FFATA.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires LEO to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
LEO informed us it had not implemented a process to accumulate and submit the required information to the federal system.
Effect
LEO grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. We consider this to be a material weakness and material noncompliance because LEO did not complete any FFATA reporting. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend LEO report REAP subaward information as required by FFATA.
Management Views
LEO agrees with the finding.
FINDING 2023-055
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Subrecipient Monitoring - Subrecipient Audits and Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not properly monitor its subrecipients to ensure they complied with the Uniform Guidance. In addition, LEO did not accurately report to its subrecipients all subaward information as required by the Uniform Guidance. We noted:
a. LEO did not have a process to identify or document if the subrecipients required a single audit. Therefore, LEO did not monitor these subrecipients to ensure the status or submission of their single audit reports and did not determine whether a management decision letter was needed.
b. LEO did not report the correct FAIN for 3 of the 4 sampled subawards.
Criteria
Federal regulation 45 CFR 75.501 requires nonfederal entities who expend $750,000 or more in federal awards during their fiscal year to obtain a single audit for that fiscal year. Also, federal regulation 45 CFR 75.352(f) requires the pass-through entity to verify these subrecipients are audited as required by Subpart F of the Uniform Guidance, Audit Requirements, when it is expected the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the $750,000 threshold. In addition, federal regulation 45 CFR 75.521(d) requires LEO to issue a management decision letter on the appropriateness of all audit findings related to its federal awards and the subrecipient's corrective action plan within six months of acceptance by the federal audit clearinghouse (FAC).
In addition, federal regulation 45 CFR 75.352(a) requires that all pass-through entities ensure every subaward includes certain information.
Cause
For part a., LEO indicated because of limited staff resources it did not have a process in place to review subrecipient single audits.
For part b., LEO informed us because of an oversight, it did not always provide all required subaward information to subrecipients.
Effect
LEO limited the State's assurance that its subrecipients complied with grant requirements and implemented corrective actions for audit findings to prevent future sanctions or disallowed costs, which could necessitate adjustments to LEO's records. Also, subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance because LEO did not complete any monitoring of its subrecipients' single audits. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend LEO properly monitor its subrecipients to ensure they comply with the Uniform Guidance.
We also recommend LEO accurately report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
LEO agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-009
Treasury, Cash Management - Recertification of Clearance Patterns
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Treasury (Treasury) did not adequately review and recertify the accuracy of the clearance patterns contained in the agreement with the U.S. Department of the Treasury, referred to as the Treasury State Agreement (TSA). We noted Treasury did not reassess the accuracy of the Child Support Services and LIHEAP clearance patterns as specified in its fiscal year 2023 TSA, which were last reviewed and updated in its fiscal year 2015 TSA.
Criteria
Federal regulation 31 CFR 205.20 requires the clearance pattern to be based on at least three consecutive months of disbursement data to accurately represent the flow of federal funds and reflect seasonal or other periodic variations in clearance activity of the program to which it is applied. Also, federal regulation 31 CFR 205.22(b) states the State must recertify the accuracy of a clearance pattern every five years.
Cause
Treasury informed us the recertification of the program clearance patterns was not completed because of inadequate procedures.
Effect
Failure to ensure the accuracy of clearance patterns could cause the State to inappropriately calculate the date it should request reimbursement from the U.S. Department of the Treasury for federal assistance programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend that Treasury review and recertify the accuracy of the clearance patterns specified in the TSA.
Management Views
Treasury agrees with the finding.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-056
Low-Income Home Energy Assistance, ALN 93.568, Eligibility - Client Benefits in Excess of Fiscal Year Cap
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure the total client benefits were limited to the fiscal year cap for 1 (3%) of 39 sampled clients.
Criteria
Federal law 42 USC 8624 requires the State expend funds in accordance with the LIHEAP State Plan. The LIHEAP State Plan indicates that when a payment was necessary to resolve an energy related emergency, the payment would be the minimum amount necessary to prevent shutoff or restore activities for natural gas and electric services and the payment for any other fuel types and deliverable fuels may be made up to the fiscal year cap. Also, MDHHS policy establishes payment limits for these emergency energy fiscal year caps.
Cause
MDHHS informed us the miscalculation of the total client benefits paid during the fiscal year was caused by a manual data entry error.
Effect
MDHHS made an energy payment in excess of the client's fiscal year cap. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $190 - federal share.
Recommendation
We recommend MDHHS ensure the total client benefits do not exceed the fiscal year cap.
Management Views
MDHHS agrees with the finding.
FINDING 2023-057
Low-Income Home Energy Assistance, ALN 93.568, Eligibility - Eligibility Determinations
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not maintain sufficient documentation of its efforts to evaluate client eligibility; examples of documentation include support for the verification of the client's income, household size, and proof of energy crisis for 9 (23%) of 39 sampled LIHEAP-funded State Emergency Relief (SER) energy payments.
Criteria
Federal law 42 USC 8624 requires the State to expend funds in accordance with the LIHEAP State Plan and allows MDHHS to use LIHEAP funds to intervene in energy-related crisis situations and assist eligible households to meet the costs of home energy.
MDHHS policy requires county/district office caseworkers to verify and include certain income of SER group members during intake in order to determine eligibility for SER energy services. Also, policy states the payment amount must match the amount on the past due or shut-off notice. In addition, policy indicates the income limitation to be eligible is based on family size or SER group size.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure that county/district office caseworkers adhered to established policies and procedures.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible recipients and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $6,469 - federal share.
Recommendation
We recommend MDHHS maintain sufficient documentation to support client eligibility for LIHEAP-funded SER energy payments.
Management Views
MDHHS agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-009
Treasury, Cash Management - Recertification of Clearance Patterns
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Treasury (Treasury) did not adequately review and recertify the accuracy of the clearance patterns contained in the agreement with the U.S. Department of the Treasury, referred to as the Treasury State Agreement (TSA). We noted Treasury did not reassess the accuracy of the Child Support Services and LIHEAP clearance patterns as specified in its fiscal year 2023 TSA, which were last reviewed and updated in its fiscal year 2015 TSA.
Criteria
Federal regulation 31 CFR 205.20 requires the clearance pattern to be based on at least three consecutive months of disbursement data to accurately represent the flow of federal funds and reflect seasonal or other periodic variations in clearance activity of the program to which it is applied. Also, federal regulation 31 CFR 205.22(b) states the State must recertify the accuracy of a clearance pattern every five years.
Cause
Treasury informed us the recertification of the program clearance patterns was not completed because of inadequate procedures.
Effect
Failure to ensure the accuracy of clearance patterns could cause the State to inappropriately calculate the date it should request reimbursement from the U.S. Department of the Treasury for federal assistance programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend that Treasury review and recertify the accuracy of the clearance patterns specified in the TSA.
Management Views
Treasury agrees with the finding.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-056
Low-Income Home Energy Assistance, ALN 93.568, Eligibility - Client Benefits in Excess of Fiscal Year Cap
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure the total client benefits were limited to the fiscal year cap for 1 (3%) of 39 sampled clients.
Criteria
Federal law 42 USC 8624 requires the State expend funds in accordance with the LIHEAP State Plan. The LIHEAP State Plan indicates that when a payment was necessary to resolve an energy related emergency, the payment would be the minimum amount necessary to prevent shutoff or restore activities for natural gas and electric services and the payment for any other fuel types and deliverable fuels may be made up to the fiscal year cap. Also, MDHHS policy establishes payment limits for these emergency energy fiscal year caps.
Cause
MDHHS informed us the miscalculation of the total client benefits paid during the fiscal year was caused by a manual data entry error.
Effect
MDHHS made an energy payment in excess of the client's fiscal year cap. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $190 - federal share.
Recommendation
We recommend MDHHS ensure the total client benefits do not exceed the fiscal year cap.
Management Views
MDHHS agrees with the finding.
FINDING 2023-057
Low-Income Home Energy Assistance, ALN 93.568, Eligibility - Eligibility Determinations
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not maintain sufficient documentation of its efforts to evaluate client eligibility; examples of documentation include support for the verification of the client's income, household size, and proof of energy crisis for 9 (23%) of 39 sampled LIHEAP-funded State Emergency Relief (SER) energy payments.
Criteria
Federal law 42 USC 8624 requires the State to expend funds in accordance with the LIHEAP State Plan and allows MDHHS to use LIHEAP funds to intervene in energy-related crisis situations and assist eligible households to meet the costs of home energy.
MDHHS policy requires county/district office caseworkers to verify and include certain income of SER group members during intake in order to determine eligibility for SER energy services. Also, policy states the payment amount must match the amount on the past due or shut-off notice. In addition, policy indicates the income limitation to be eligible is based on family size or SER group size.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure that county/district office caseworkers adhered to established policies and procedures.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible recipients and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $6,469 - federal share.
Recommendation
We recommend MDHHS maintain sufficient documentation to support client eligibility for LIHEAP-funded SER energy payments.
Management Views
MDHHS agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-005
CHAMPS General Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is a medical assistance claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems* contained potentially vulnerable database configurations.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
Cause
DTMB informed us that competing priorities and the need for additional time to review the impact of implementing the tailored configurations, due to the change management process, delayed the implementation of tailored configuration recommendations.
Effect
Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database.
Management Views
Although MDHHS and DTMB delayed the implementation of SOM tailored configurations, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data.
DTMB has implemented and continues to implement the manufacturer's recommendations regarding security configurations and performs regular database and operating system patching. Additionally, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards.
Auditor's Comments to Management Views
We determined, and DTMB and MDHHS acknowledged, they did not fully implement the tailored configurations; therefore, the potential vulnerabilities and security risk still exist.
The finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Background
In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP.
Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. These continuous enrollment conditions ended March 31, 2023 with the passage of the Consolidated Appropriations Act of 2023, and states were required to initiate all redeterminations within a 12-month unwinding period. MDHHS began initiating redeterminations in June 2023. We sampled beneficiaries for each program who either had a benefit period which started during fiscal year 2023 or who had a benefit period which started prior to fiscal year 2023 and had a redetermination during the months of June through September 2023.
We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table.
For an estimated 22,428 Medicaid and 8,520 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested.
The results of the testing for the remaining 59 Medicaid and 56 CHIP beneficiaries we were able to review are summarized in the finding below.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 5 (8%) of 59 Medicaid and 12 (21%) of 56 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 59 Medicaid and 1 (2%) of 56 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 2 (3%) of 59 Medicaid and 4 (7%) of 56 CHIP cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulations 42 CFR 435.912(c) and 42 CFR 457.340(d) require MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
Cause
For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions.
For part b., MDHHS indicated the missing documentation resulted from staff oversight.
For part c., MDHHS indicated limited staff resources and a significantly higher number of renewals due to the Public Health Emergency affected its ability to determine beneficiary eligibility within the required time frame.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 10% Medicaid and 29% CHIP unduplicated error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $2,211 - federal share.
• $762 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $33.4 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2023.
However, we selected a sample of 3 beneficiaries that were transferred to CHIP and noted that 1 of 3 beneficiaries was not eligible for CHIP but was in fact Medicaid eligible and, therefore, should not have been transferred.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, one case was transferred in error.
Effect
MDHHS inappropriately transferred $133 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Also, of the $33.4 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $33.4 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 11% of total CHIP expenditures.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $89 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $89 is questioned in Finding 2023-013.
• $45 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-015
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates that interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2023-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure that disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware that new disclosures are required. In addition, MDHHS relies on the entities to inform them when ownership changes occur. Also, limited staff resources resulted in the MI Choice entitiesʹ network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2023-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $103,627 of the federal share of overpayments.
b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the second quarter of fiscal year 2023.
c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording 2 (8%) of 25 sampled Medicaid overpayments on the incorrect CMS-64 line.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
MDHHS informed us system issues contributed to the untimely and inaccurate reporting of overpayments.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report.
Management Views
MDHHS agrees with the finding.
FINDING 2023-018
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 7 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not incorporate the necessary adjustments to the MLR report template for all managed care entities to report their comparison of the amounts reported in the MLR calculation with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2023-019
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit was completed and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2023.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, because of the audit activity time frames outlined within the scope of the contract, not all audit activities were completed during fiscal year 2023.
Effect
Failure to ensure the accuracy of data could affect the capitation rates that are developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-005
CHAMPS General Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is a medical assistance claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems* contained potentially vulnerable database configurations.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
Cause
DTMB informed us that competing priorities and the need for additional time to review the impact of implementing the tailored configurations, due to the change management process, delayed the implementation of tailored configuration recommendations.
Effect
Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database.
Management Views
Although MDHHS and DTMB delayed the implementation of SOM tailored configurations, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data.
DTMB has implemented and continues to implement the manufacturer's recommendations regarding security configurations and performs regular database and operating system patching. Additionally, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards.
Auditor's Comments to Management Views
We determined, and DTMB and MDHHS acknowledged, they did not fully implement the tailored configurations; therefore, the potential vulnerabilities and security risk still exist.
The finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Background
In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP.
Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. These continuous enrollment conditions ended March 31, 2023 with the passage of the Consolidated Appropriations Act of 2023, and states were required to initiate all redeterminations within a 12-month unwinding period. MDHHS began initiating redeterminations in June 2023. We sampled beneficiaries for each program who either had a benefit period which started during fiscal year 2023 or who had a benefit period which started prior to fiscal year 2023 and had a redetermination during the months of June through September 2023.
We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table.
For an estimated 22,428 Medicaid and 8,520 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested.
The results of the testing for the remaining 59 Medicaid and 56 CHIP beneficiaries we were able to review are summarized in the finding below.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 5 (8%) of 59 Medicaid and 12 (21%) of 56 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 59 Medicaid and 1 (2%) of 56 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 2 (3%) of 59 Medicaid and 4 (7%) of 56 CHIP cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulations 42 CFR 435.912(c) and 42 CFR 457.340(d) require MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
Cause
For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions.
For part b., MDHHS indicated the missing documentation resulted from staff oversight.
For part c., MDHHS indicated limited staff resources and a significantly higher number of renewals due to the Public Health Emergency affected its ability to determine beneficiary eligibility within the required time frame.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 10% Medicaid and 29% CHIP unduplicated error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $2,211 - federal share.
• $762 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $33.4 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2023.
However, we selected a sample of 3 beneficiaries that were transferred to CHIP and noted that 1 of 3 beneficiaries was not eligible for CHIP but was in fact Medicaid eligible and, therefore, should not have been transferred.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, one case was transferred in error.
Effect
MDHHS inappropriately transferred $133 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Also, of the $33.4 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $33.4 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 11% of total CHIP expenditures.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $89 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $89 is questioned in Finding 2023-013.
• $45 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-015
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates that interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2023-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure that disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware that new disclosures are required. In addition, MDHHS relies on the entities to inform them when ownership changes occur. Also, limited staff resources resulted in the MI Choice entitiesʹ network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2023-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $103,627 of the federal share of overpayments.
b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the second quarter of fiscal year 2023.
c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording 2 (8%) of 25 sampled Medicaid overpayments on the incorrect CMS-64 line.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
MDHHS informed us system issues contributed to the untimely and inaccurate reporting of overpayments.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report.
Management Views
MDHHS agrees with the finding.
FINDING 2023-018
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 7 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not incorporate the necessary adjustments to the MLR report template for all managed care entities to report their comparison of the amounts reported in the MLR calculation with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2023-019
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit was completed and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2023.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, because of the audit activity time frames outlined within the scope of the contract, not all audit activities were completed during fiscal year 2023.
Effect
Failure to ensure the accuracy of data could affect the capitation rates that are developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-020
SNAP Cluster, ALN 10.551 and 10.561, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - System and Organization Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS should improve its monitoring of the operating effectiveness of general controls, such as security, for the third-party organizations that provide various electronic benefits transfer (EBT) services. We noted:
a. MDHHS did not document the date it received all 5 System and Organization Controls (SOC) reports* from the EBT service provider to support MDHHS reviewed the reports in a timely manner. Also, for 4 of these SOC reports received, the same person completed and approved the evaluation of the reports.
b. MDHHS did not obtain a bridge letter in appropriate circumstances for the 1 applicable subservice organization SOC report. In this instance, the bridge letter obtained covered a period of 13 months, for which 9 months occurred during our audit period.
c. MDHHS had not reviewed or evaluated 1 of 2 SOC reports of the subservice organization that provides information systems services, such as hosting services and managing infrastructure services and operations, to the State's EBT service provider.
Criteria
Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.1(i)(2) requires states to obtain a SOC report by an independent auditor of the state EBT service provider regarding the issuance, redemption, and settlement of benefits under SNAP, and the SOC report must cover the entire period since the previous examination. The SOC report must follow EBT guidance as indicated in various federal regulations and Appendix VIII of the OMB Compliance Supplement to the extent the guidelines relate to SNAP benefits.
The State of Michigan Financial Management Guide (FMG) (Part VII, Chapter 1, Section 1000) prescribes guidelines for departments to assess and manage risks associated with third-party relationships. Departments need to understand and/or evaluate risks and the controls each service organization designs, implements, and operates for the assigned operational process and how the service organization's internal control system impacts the department's internal control system. The FMG requires management to complete the review within 30 days of receiving the SOC report. Also, the FMG indicates the departments should consider and document conclusions regarding whether the sub-servicers controls are relevant to the department's control environment and document in their evaluation of the SOC report how these were resolved.
Also, FMG (Part VII, Chapter 2, Section 200) requires the department to divide or segregate duties among different people or implement alternative or compensating controls to mitigate the risk associated with a single user having the ability to perform conflicting duties.
In addition, the State Budget Office's Office of Internal Audit Services SOC report review guidance states that if the report covers a period of less than 6 months, it provides minimal assurance that the controls are in place and that if the gap period is greater than 90 days, the State agency should evaluate if a bridge letter is sufficient or if additional procedures are needed.
Cause
MDHHSʹs internal control was not sufficient to ensure it documented its review of all components of the SOC reports.
Effect
MDHHS cannot ensure general controls of vendor-hosted systems are sufficient to ensure the security of the issuance, redemption, and settlement of EBT benefits. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS improve its monitoring of the operating effectiveness of general controls for the third-party organizations that provide various EBT services.
Management Views
MDHHS agrees with the finding.
FINDING 2023-021
SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Reconciliations
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS is responsible for determining eligibility for SNAP benefits. The State's EBT provider then provides the SNAP recipient with a debit card which can be used for food purchases at authorized retailer stores. The State's EBT contractor is responsible for paying retailers that have accepted EBT cards for qualified purchases. The EBT contractor then receives funds from the State, via wire transfer, as reimbursement for the retail purchases. MDHHS is responsible for reconciling the payments made to retailers by its EBT contractor with the amounts drawn from its EBT account with the U.S. Department of the Treasury.
Condition
MDHHS did not complete daily reconciliations of payments made to retailers by its EBT contractor with the client information recorded in its system and the reports used to make the federal draw. MDHHS developed the Benefit Issuer Food Stamp Report to summarize the total detailed daily client SNAP activity reported by its EBT contractor; however, because of inaccuracies, MDHHS did not use the report in its reconciliation process.
Criteria
Federal regulation 7 CFR 274.1(i)(1) requires state agencies to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies and to report any violations to the federal government.
Also, federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day and to verify retailer credit against the deposit information entered in the Automated Clearing House.
Cause
MDHHS informed us that EBT reconciliations between Bridges, Bridges data warehouse, and the vendor are conducted on a monthly basis using daily data because of the timing of benefit authorization, availability of vendor data, and usage of benefits.
Effect
Without proper reconciliation procedures in place, MDHHS could not ensure daily SNAP payment amounts recorded in its system were accurate. We consider this to be a material weakness and material noncompliance because of the amount of SNAP benefits issued through the EBT process and because this required daily reconciliation was not in place in fiscal year 2023. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS complete daily reconciliations of payments made to retailers by its EBT contractor with client information recorded in its system and the reports used to make the federal draw.
Management Views
MDHHS disagrees that a material weakness and material noncompliance exist. MDHHS federal reporting conducts a daily reconciliation of federal draws and authorizations to retailers based on vendor EBT reports. In addition, MDHHS conducts a monthly reconciliation between Bridges, Bridges data warehouse, and vendor EBT reports using daily data to ensure the client information in Bridges and Bridges data warehouse is accurate. The monthly reconciliation process does not impact the federal draw because the daily reconciliation of the vendor EBT report is used for this purpose. MDHHS provided detailed and accurate descriptions of MDHHS daily and monthly EBT reconciliations to the designated federal awarding agency contacts at the United States Department of Agriculture Food and Nutrition Service Agency that are familiar with MDHHS processes and received confirmation that the current reconciliation processes in place are sufficient to comply with federal regulations.
Auditor's Comments to Management Views
MDHHS acknowledges it does not perform daily reconciliations of payments made to retailers by its EBT contractor to Bridges data although federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day. Also, MDHHS did not sufficiently communicate its EBT process to its regional federal contact person. The daily EBT "reconciliation" noted above does not include Bridges data, but instead uses the EBT contractor report to confirm the accuracy of the federal account balance. Therefore, the regional federal contact person did not have all necessary information to assess if MDHHS's process complied with the federal regulation. In addition, MDHHS did not obtain an opinion from a federal person with the authority to issue an opinion on behalf of the United States Department of Agriculture ensuring consistent interpretation of federal regulations.
Federal regulations 2 CFR 200.516(a)(1) and 2 CFR 200.516(a)(2) state it is the auditor's determination of whether a deficiency in internal control is a significant deficiency or a material weakness and whether a noncompliance with federal statutes, regulations, or the terms and conditions of a federal award is material for the purpose of reporting an audit finding. MDHHS incurred SNAP (ALN 10.551) expenditures of $3.7 billion during fiscal year 2023, with daily draws averaging over $20 million; therefore, the lack of a daily reconciliation increases the risk MDHHS may not detect differences between the State records and the EBT contractor's reports prior to drawing down federal funds.
The finding stands as written.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-020
SNAP Cluster, ALN 10.551 and 10.561, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - System and Organization Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS should improve its monitoring of the operating effectiveness of general controls, such as security, for the third-party organizations that provide various electronic benefits transfer (EBT) services. We noted:
a. MDHHS did not document the date it received all 5 System and Organization Controls (SOC) reports* from the EBT service provider to support MDHHS reviewed the reports in a timely manner. Also, for 4 of these SOC reports received, the same person completed and approved the evaluation of the reports.
b. MDHHS did not obtain a bridge letter in appropriate circumstances for the 1 applicable subservice organization SOC report. In this instance, the bridge letter obtained covered a period of 13 months, for which 9 months occurred during our audit period.
c. MDHHS had not reviewed or evaluated 1 of 2 SOC reports of the subservice organization that provides information systems services, such as hosting services and managing infrastructure services and operations, to the State's EBT service provider.
Criteria
Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.1(i)(2) requires states to obtain a SOC report by an independent auditor of the state EBT service provider regarding the issuance, redemption, and settlement of benefits under SNAP, and the SOC report must cover the entire period since the previous examination. The SOC report must follow EBT guidance as indicated in various federal regulations and Appendix VIII of the OMB Compliance Supplement to the extent the guidelines relate to SNAP benefits.
The State of Michigan Financial Management Guide (FMG) (Part VII, Chapter 1, Section 1000) prescribes guidelines for departments to assess and manage risks associated with third-party relationships. Departments need to understand and/or evaluate risks and the controls each service organization designs, implements, and operates for the assigned operational process and how the service organization's internal control system impacts the department's internal control system. The FMG requires management to complete the review within 30 days of receiving the SOC report. Also, the FMG indicates the departments should consider and document conclusions regarding whether the sub-servicers controls are relevant to the department's control environment and document in their evaluation of the SOC report how these were resolved.
Also, FMG (Part VII, Chapter 2, Section 200) requires the department to divide or segregate duties among different people or implement alternative or compensating controls to mitigate the risk associated with a single user having the ability to perform conflicting duties.
In addition, the State Budget Office's Office of Internal Audit Services SOC report review guidance states that if the report covers a period of less than 6 months, it provides minimal assurance that the controls are in place and that if the gap period is greater than 90 days, the State agency should evaluate if a bridge letter is sufficient or if additional procedures are needed.
Cause
MDHHSʹs internal control was not sufficient to ensure it documented its review of all components of the SOC reports.
Effect
MDHHS cannot ensure general controls of vendor-hosted systems are sufficient to ensure the security of the issuance, redemption, and settlement of EBT benefits. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS improve its monitoring of the operating effectiveness of general controls for the third-party organizations that provide various EBT services.
Management Views
MDHHS agrees with the finding.
FINDING 2023-021
SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Reconciliations
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS is responsible for determining eligibility for SNAP benefits. The State's EBT provider then provides the SNAP recipient with a debit card which can be used for food purchases at authorized retailer stores. The State's EBT contractor is responsible for paying retailers that have accepted EBT cards for qualified purchases. The EBT contractor then receives funds from the State, via wire transfer, as reimbursement for the retail purchases. MDHHS is responsible for reconciling the payments made to retailers by its EBT contractor with the amounts drawn from its EBT account with the U.S. Department of the Treasury.
Condition
MDHHS did not complete daily reconciliations of payments made to retailers by its EBT contractor with the client information recorded in its system and the reports used to make the federal draw. MDHHS developed the Benefit Issuer Food Stamp Report to summarize the total detailed daily client SNAP activity reported by its EBT contractor; however, because of inaccuracies, MDHHS did not use the report in its reconciliation process.
Criteria
Federal regulation 7 CFR 274.1(i)(1) requires state agencies to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies and to report any violations to the federal government.
Also, federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day and to verify retailer credit against the deposit information entered in the Automated Clearing House.
Cause
MDHHS informed us that EBT reconciliations between Bridges, Bridges data warehouse, and the vendor are conducted on a monthly basis using daily data because of the timing of benefit authorization, availability of vendor data, and usage of benefits.
Effect
Without proper reconciliation procedures in place, MDHHS could not ensure daily SNAP payment amounts recorded in its system were accurate. We consider this to be a material weakness and material noncompliance because of the amount of SNAP benefits issued through the EBT process and because this required daily reconciliation was not in place in fiscal year 2023. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS complete daily reconciliations of payments made to retailers by its EBT contractor with client information recorded in its system and the reports used to make the federal draw.
Management Views
MDHHS disagrees that a material weakness and material noncompliance exist. MDHHS federal reporting conducts a daily reconciliation of federal draws and authorizations to retailers based on vendor EBT reports. In addition, MDHHS conducts a monthly reconciliation between Bridges, Bridges data warehouse, and vendor EBT reports using daily data to ensure the client information in Bridges and Bridges data warehouse is accurate. The monthly reconciliation process does not impact the federal draw because the daily reconciliation of the vendor EBT report is used for this purpose. MDHHS provided detailed and accurate descriptions of MDHHS daily and monthly EBT reconciliations to the designated federal awarding agency contacts at the United States Department of Agriculture Food and Nutrition Service Agency that are familiar with MDHHS processes and received confirmation that the current reconciliation processes in place are sufficient to comply with federal regulations.
Auditor's Comments to Management Views
MDHHS acknowledges it does not perform daily reconciliations of payments made to retailers by its EBT contractor to Bridges data although federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day. Also, MDHHS did not sufficiently communicate its EBT process to its regional federal contact person. The daily EBT "reconciliation" noted above does not include Bridges data, but instead uses the EBT contractor report to confirm the accuracy of the federal account balance. Therefore, the regional federal contact person did not have all necessary information to assess if MDHHS's process complied with the federal regulation. In addition, MDHHS did not obtain an opinion from a federal person with the authority to issue an opinion on behalf of the United States Department of Agriculture ensuring consistent interpretation of federal regulations.
Federal regulations 2 CFR 200.516(a)(1) and 2 CFR 200.516(a)(2) state it is the auditor's determination of whether a deficiency in internal control is a significant deficiency or a material weakness and whether a noncompliance with federal statutes, regulations, or the terms and conditions of a federal award is material for the purpose of reporting an audit finding. MDHHS incurred SNAP (ALN 10.551) expenditures of $3.7 billion during fiscal year 2023, with daily draws averaging over $20 million; therefore, the lack of a daily reconciliation increases the risk MDHHS may not detect differences between the State records and the EBT contractor's reports prior to drawing down federal funds.
The finding stands as written.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-020
SNAP Cluster, ALN 10.551 and 10.561, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - System and Organization Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS should improve its monitoring of the operating effectiveness of general controls, such as security, for the third-party organizations that provide various electronic benefits transfer (EBT) services. We noted:
a. MDHHS did not document the date it received all 5 System and Organization Controls (SOC) reports* from the EBT service provider to support MDHHS reviewed the reports in a timely manner. Also, for 4 of these SOC reports received, the same person completed and approved the evaluation of the reports.
b. MDHHS did not obtain a bridge letter in appropriate circumstances for the 1 applicable subservice organization SOC report. In this instance, the bridge letter obtained covered a period of 13 months, for which 9 months occurred during our audit period.
c. MDHHS had not reviewed or evaluated 1 of 2 SOC reports of the subservice organization that provides information systems services, such as hosting services and managing infrastructure services and operations, to the State's EBT service provider.
Criteria
Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.1(i)(2) requires states to obtain a SOC report by an independent auditor of the state EBT service provider regarding the issuance, redemption, and settlement of benefits under SNAP, and the SOC report must cover the entire period since the previous examination. The SOC report must follow EBT guidance as indicated in various federal regulations and Appendix VIII of the OMB Compliance Supplement to the extent the guidelines relate to SNAP benefits.
The State of Michigan Financial Management Guide (FMG) (Part VII, Chapter 1, Section 1000) prescribes guidelines for departments to assess and manage risks associated with third-party relationships. Departments need to understand and/or evaluate risks and the controls each service organization designs, implements, and operates for the assigned operational process and how the service organization's internal control system impacts the department's internal control system. The FMG requires management to complete the review within 30 days of receiving the SOC report. Also, the FMG indicates the departments should consider and document conclusions regarding whether the sub-servicers controls are relevant to the department's control environment and document in their evaluation of the SOC report how these were resolved.
Also, FMG (Part VII, Chapter 2, Section 200) requires the department to divide or segregate duties among different people or implement alternative or compensating controls to mitigate the risk associated with a single user having the ability to perform conflicting duties.
In addition, the State Budget Office's Office of Internal Audit Services SOC report review guidance states that if the report covers a period of less than 6 months, it provides minimal assurance that the controls are in place and that if the gap period is greater than 90 days, the State agency should evaluate if a bridge letter is sufficient or if additional procedures are needed.
Cause
MDHHSʹs internal control was not sufficient to ensure it documented its review of all components of the SOC reports.
Effect
MDHHS cannot ensure general controls of vendor-hosted systems are sufficient to ensure the security of the issuance, redemption, and settlement of EBT benefits. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS improve its monitoring of the operating effectiveness of general controls for the third-party organizations that provide various EBT services.
Management Views
MDHHS agrees with the finding.
FINDING 2023-021
SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Reconciliations
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS is responsible for determining eligibility for SNAP benefits. The State's EBT provider then provides the SNAP recipient with a debit card which can be used for food purchases at authorized retailer stores. The State's EBT contractor is responsible for paying retailers that have accepted EBT cards for qualified purchases. The EBT contractor then receives funds from the State, via wire transfer, as reimbursement for the retail purchases. MDHHS is responsible for reconciling the payments made to retailers by its EBT contractor with the amounts drawn from its EBT account with the U.S. Department of the Treasury.
Condition
MDHHS did not complete daily reconciliations of payments made to retailers by its EBT contractor with the client information recorded in its system and the reports used to make the federal draw. MDHHS developed the Benefit Issuer Food Stamp Report to summarize the total detailed daily client SNAP activity reported by its EBT contractor; however, because of inaccuracies, MDHHS did not use the report in its reconciliation process.
Criteria
Federal regulation 7 CFR 274.1(i)(1) requires state agencies to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies and to report any violations to the federal government.
Also, federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day and to verify retailer credit against the deposit information entered in the Automated Clearing House.
Cause
MDHHS informed us that EBT reconciliations between Bridges, Bridges data warehouse, and the vendor are conducted on a monthly basis using daily data because of the timing of benefit authorization, availability of vendor data, and usage of benefits.
Effect
Without proper reconciliation procedures in place, MDHHS could not ensure daily SNAP payment amounts recorded in its system were accurate. We consider this to be a material weakness and material noncompliance because of the amount of SNAP benefits issued through the EBT process and because this required daily reconciliation was not in place in fiscal year 2023. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS complete daily reconciliations of payments made to retailers by its EBT contractor with client information recorded in its system and the reports used to make the federal draw.
Management Views
MDHHS disagrees that a material weakness and material noncompliance exist. MDHHS federal reporting conducts a daily reconciliation of federal draws and authorizations to retailers based on vendor EBT reports. In addition, MDHHS conducts a monthly reconciliation between Bridges, Bridges data warehouse, and vendor EBT reports using daily data to ensure the client information in Bridges and Bridges data warehouse is accurate. The monthly reconciliation process does not impact the federal draw because the daily reconciliation of the vendor EBT report is used for this purpose. MDHHS provided detailed and accurate descriptions of MDHHS daily and monthly EBT reconciliations to the designated federal awarding agency contacts at the United States Department of Agriculture Food and Nutrition Service Agency that are familiar with MDHHS processes and received confirmation that the current reconciliation processes in place are sufficient to comply with federal regulations.
Auditor's Comments to Management Views
MDHHS acknowledges it does not perform daily reconciliations of payments made to retailers by its EBT contractor to Bridges data although federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day. Also, MDHHS did not sufficiently communicate its EBT process to its regional federal contact person. The daily EBT "reconciliation" noted above does not include Bridges data, but instead uses the EBT contractor report to confirm the accuracy of the federal account balance. Therefore, the regional federal contact person did not have all necessary information to assess if MDHHS's process complied with the federal regulation. In addition, MDHHS did not obtain an opinion from a federal person with the authority to issue an opinion on behalf of the United States Department of Agriculture ensuring consistent interpretation of federal regulations.
Federal regulations 2 CFR 200.516(a)(1) and 2 CFR 200.516(a)(2) state it is the auditor's determination of whether a deficiency in internal control is a significant deficiency or a material weakness and whether a noncompliance with federal statutes, regulations, or the terms and conditions of a federal award is material for the purpose of reporting an audit finding. MDHHS incurred SNAP (ALN 10.551) expenditures of $3.7 billion during fiscal year 2023, with daily draws averaging over $20 million; therefore, the lack of a daily reconciliation increases the risk MDHHS may not detect differences between the State records and the EBT contractor's reports prior to drawing down federal funds.
The finding stands as written.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-022
Pandemic EBT Food Benefits, ALN 10.542, Activities Allowed or Unallowed and Eligibility - Lack of Documentation for School Modality Data Reviews
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not maintain documentation of its efforts to review the accuracy of P-EBT school modality data used to calculate food benefit payments for all eligible students.
Criteria
The Families First Coronavirus Response Act of 2020, Public Law 116-127, as amended, requires MDHHS to have an approved state plan to provide P-EBT food benefits to households with children who would otherwise receive free or reduced-price meals if not for their schools being closed because of the COVID-19 emergency.
MDHHS's P-EBT State Plan states it will review monthly sample modality results for program accuracy, including an interview with school personnel and MDE.
Cause
MDHHS informed us it reviewed the school modality data, but it did not document its review in the log.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments to or on behalf of ineligible students. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support that it appropriately reviews the accuracy of P-EBT school modality data.
Management Views
MDHHS disagrees that not formally documenting the review details on the log rises to the level of a material weakness and material noncompliance.
MDHHS selects a sample of schools that submitted data and verifies the accuracy of P-EBT school modality data reported, documenting the schools reviewed within a log. Following the written business process, P-EBT staff first identify public information available to verify the school's modality data such as the school's calendar or news articles, and then reach out to school administration if public information is not available. If additional steps are required to reconcile the data, P-EBT staff document the support and results, sign off on the reconciliation, and forward to a supervisor for review. For this review period, no discrepancies were identified between what the school reported, and school websites. Since no discrepancies were noted, staff verbally communicated the review results to the manager and the log of sample items reviewed were kept within a shared drive.
Auditor's Comments to Management Views
MDHHS acknowledges it did not document the results of its modality reviews because it verbally communicated the results internally. Documentation of completed reviews is necessary to provide information to both MDHHS supervisors and auditors to validate MDHHS appropriately completed its modality reviews. MDHHS provided a spreadsheet to support its reviews; however, the spreadsheet did not substantiate the reviews were completed. Therefore, without documentation, the auditor cannot perform appropriate audit procedures, including sampling and testing of internal control, to verify MDHHS completed its modality reviews.
Federal regulations 2 CFR 200.516(a)(1) and 2 CFR 516(a)(2) state it is the auditor's determination of whether a deficiency in internal control is a significant deficiency or a material weakness and whether a noncompliance with federal statutes, regulations, or the terms and conditions of a federal award is material for the purpose of reporting an audit finding. The lack of a documented modality review process increases the risk MDHHS may not detect inaccuracies in school reported modality and may authorize payments to ineligible students.
Therefore, the finding stands as written.
FINDING 2023-023
Pandemic EBT Food Benefits, ALN 10.542, Reporting - Accuracy of Financial Reports
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not submit accurate monthly P-EBT financial reports to the U.S. Department of Agriculture (USDA) Food and Nutrition Service (FNS) for 1 of 3 sampled Report of Disaster Supplemental Nutrition Assistance Benefit Issuance (FNS-292B). For this 1 instance, MDHHS
reported inaccurate disaster relief information in the October 2022 FNS-292B. MDHHS overstated:
a. Total value of benefits issued by $377.9 million.
b. Number of persons issued benefits by 963,633.
c. Number of households issued benefits by 802,454.
Criteria
Federal regulation 2 CFR 200.302(b)(2) requires grantees to submit accurate financial data in accordance with a grant program's reporting requirements.
Federal Register 86:89 (11 May 2021) page 25,837 requires state agencies to report the number of eligible children and households receiving P-EBT benefits and total value of the benefits monthly.
Cause
MDHHS informed us its monitoring activities were not sufficient to detect data entry errors included in the submitted report.
Effect
MDHHS may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of P-EBT funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS improve its internal control and submit accurate P-EBT financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2023-024
Fish and Wildlife Cluster, ALN 15.605, 15.611, and 15.626, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Inappropriate Telecommunication Expenditures
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Natural Resources (DNR) did not ensure that telecommunication expenditures charged to the Fish and Wildlife Cluster were incurred for fish and wildlife activities. We reviewed 1 sampled telecommunication transaction related to 196 employees. We sampled 20 of those employees and noted 2 (10%) employees did not work on fish and wildlife activities.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program.
In addition, federal regulation 2 CFR 200.306 requires costs used for matching be allowable costs to the federal award.
Cause
DNR informed us because of an oversight error, it did not timely identify these employees to be removed from the monthly telecommunication bill.
Effect
DNR charged the Fish and Wildlife Cluster for telecommunication expenditures related to employees who worked on non-fish and wildlife activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DNR ensure that telecommunication expenditures charged to the Fish and Wildlife Cluster are incurred for fish and wildlife activities.
Management Views
DNR agrees with the finding.
FINDING 2023-025
Fish and Wildlife Cluster, ALN 15.605, 15.611, and 15.626, Equipment and Real Property Management - Inaccurate Inventory of Equipment
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DNR did not properly account for its capitalized equipment acquired with federal funds. We noted DNR did not assign an equipment identification tag and record the capital equipment in its inventory system for 1 of 6 sampled equipment acquisitions.
Criteria
Federal regulation 2 CFR 200.313(b) requires the state agency to manage equipment acquired under a federal award by the state in accordance with state laws and procedures.
The FMG (Part II, Chapter 21, Section 110) and DNR policy require DNR to tag all equipment and to maintain in its records the tag numbers of all capital assets.
Cause
DNR informed us the equipment was not tagged or included in its inventory system because of an oversight.
Effect
Insufficient capital asset records could increase the risk that equipment may be missing, lost, or stolen. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DNR properly account for its capitalized equipment acquisitions.
Management Views
DNR agrees with the finding.
FINDING 2023-024
Fish and Wildlife Cluster, ALN 15.605, 15.611, and 15.626, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Inappropriate Telecommunication Expenditures
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Natural Resources (DNR) did not ensure that telecommunication expenditures charged to the Fish and Wildlife Cluster were incurred for fish and wildlife activities. We reviewed 1 sampled telecommunication transaction related to 196 employees. We sampled 20 of those employees and noted 2 (10%) employees did not work on fish and wildlife activities.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program.
In addition, federal regulation 2 CFR 200.306 requires costs used for matching be allowable costs to the federal award.
Cause
DNR informed us because of an oversight error, it did not timely identify these employees to be removed from the monthly telecommunication bill.
Effect
DNR charged the Fish and Wildlife Cluster for telecommunication expenditures related to employees who worked on non-fish and wildlife activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DNR ensure that telecommunication expenditures charged to the Fish and Wildlife Cluster are incurred for fish and wildlife activities.
Management Views
DNR agrees with the finding.
FINDING 2023-025
Fish and Wildlife Cluster, ALN 15.605, 15.611, and 15.626, Equipment and Real Property Management - Inaccurate Inventory of Equipment
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DNR did not properly account for its capitalized equipment acquired with federal funds. We noted DNR did not assign an equipment identification tag and record the capital equipment in its inventory system for 1 of 6 sampled equipment acquisitions.
Criteria
Federal regulation 2 CFR 200.313(b) requires the state agency to manage equipment acquired under a federal award by the state in accordance with state laws and procedures.
The FMG (Part II, Chapter 21, Section 110) and DNR policy require DNR to tag all equipment and to maintain in its records the tag numbers of all capital assets.
Cause
DNR informed us the equipment was not tagged or included in its inventory system because of an oversight.
Effect
Insufficient capital asset records could increase the risk that equipment may be missing, lost, or stolen. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DNR properly account for its capitalized equipment acquisitions.
Management Views
DNR agrees with the finding.
FINDING 2023-024
Fish and Wildlife Cluster, ALN 15.605, 15.611, and 15.626, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Inappropriate Telecommunication Expenditures
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Natural Resources (DNR) did not ensure that telecommunication expenditures charged to the Fish and Wildlife Cluster were incurred for fish and wildlife activities. We reviewed 1 sampled telecommunication transaction related to 196 employees. We sampled 20 of those employees and noted 2 (10%) employees did not work on fish and wildlife activities.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program.
In addition, federal regulation 2 CFR 200.306 requires costs used for matching be allowable costs to the federal award.
Cause
DNR informed us because of an oversight error, it did not timely identify these employees to be removed from the monthly telecommunication bill.
Effect
DNR charged the Fish and Wildlife Cluster for telecommunication expenditures related to employees who worked on non-fish and wildlife activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DNR ensure that telecommunication expenditures charged to the Fish and Wildlife Cluster are incurred for fish and wildlife activities.
Management Views
DNR agrees with the finding.
FINDING 2023-025
Fish and Wildlife Cluster, ALN 15.605, 15.611, and 15.626, Equipment and Real Property Management - Inaccurate Inventory of Equipment
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DNR did not properly account for its capitalized equipment acquired with federal funds. We noted DNR did not assign an equipment identification tag and record the capital equipment in its inventory system for 1 of 6 sampled equipment acquisitions.
Criteria
Federal regulation 2 CFR 200.313(b) requires the state agency to manage equipment acquired under a federal award by the state in accordance with state laws and procedures.
The FMG (Part II, Chapter 21, Section 110) and DNR policy require DNR to tag all equipment and to maintain in its records the tag numbers of all capital assets.
Cause
DNR informed us the equipment was not tagged or included in its inventory system because of an oversight.
Effect
Insufficient capital asset records could increase the risk that equipment may be missing, lost, or stolen. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DNR properly account for its capitalized equipment acquisitions.
Management Views
DNR agrees with the finding.
FINDING 2023-024
Fish and Wildlife Cluster, ALN 15.605, 15.611, and 15.626, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Inappropriate Telecommunication Expenditures
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Natural Resources (DNR) did not ensure that telecommunication expenditures charged to the Fish and Wildlife Cluster were incurred for fish and wildlife activities. We reviewed 1 sampled telecommunication transaction related to 196 employees. We sampled 20 of those employees and noted 2 (10%) employees did not work on fish and wildlife activities.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program.
In addition, federal regulation 2 CFR 200.306 requires costs used for matching be allowable costs to the federal award.
Cause
DNR informed us because of an oversight error, it did not timely identify these employees to be removed from the monthly telecommunication bill.
Effect
DNR charged the Fish and Wildlife Cluster for telecommunication expenditures related to employees who worked on non-fish and wildlife activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DNR ensure that telecommunication expenditures charged to the Fish and Wildlife Cluster are incurred for fish and wildlife activities.
Management Views
DNR agrees with the finding.
FINDING 2023-025
Fish and Wildlife Cluster, ALN 15.605, 15.611, and 15.626, Equipment and Real Property Management - Inaccurate Inventory of Equipment
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DNR did not properly account for its capitalized equipment acquired with federal funds. We noted DNR did not assign an equipment identification tag and record the capital equipment in its inventory system for 1 of 6 sampled equipment acquisitions.
Criteria
Federal regulation 2 CFR 200.313(b) requires the state agency to manage equipment acquired under a federal award by the state in accordance with state laws and procedures.
The FMG (Part II, Chapter 21, Section 110) and DNR policy require DNR to tag all equipment and to maintain in its records the tag numbers of all capital assets.
Cause
DNR informed us the equipment was not tagged or included in its inventory system because of an oversight.
Effect
Insufficient capital asset records could increase the risk that equipment may be missing, lost, or stolen. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DNR properly account for its capitalized equipment acquisitions.
Management Views
DNR agrees with the finding.
FINDING 2023-058
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-001.
Finding 2023-001
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Affects all grant awards included under ALN
17.225 on the Schedule of Expenditures of Federal Awards
Type of Finding: Material Noncompliance and Material Weakness
Compliance Requirement: Allowable Costs/Cost Principles and Eligibility
Known Questioned Costs: Undeterminable
Repeat Finding: 2022-001
Systemic or Isolated: Systemic
Criteria: The federal government set a prescribed claim progression and eligibility requirements
for federal programs resulting from the Coronavirus pandemic. If a claimant is eligible for
regular unemployment compensation, the claimant is ineligible for receiving benefits under the
Pandemic Unemployment Assistance (PUA), Pandemic Emergency Unemployment
Compensation (PEUC), or Extended Benefits (EB) programs. In addition, claimants must
exhaust all rights to benefits under the previous claim type within the progression to become
eligible for the subsequent claim type.
Condition: In certain instances, the benefit system allowed for the payment of benefits under the
PUA, PEUC, and EB programs when claimants were eligible for regular unemployment
compensation or prior to the exhaustion of the previous claim type within the progression.
Cause: Proper controls were not set within the benefit system to ensure proper eligibility and
claim progression.
Effect: Payments of benefits under federal programs have no net effect on the net position of the
Fund since the expenditure is offset by a reimbursing federal revenue, whereas payments under
regular unemployment compensation reduce the net position of the Fund. Additionally,
improper payments of benefits under federal programs create unallowed federal costs.
Recommendation: We recommend that the Agency improve controls in the benefit system to
ensure proper eligibility and claim progression.
Views of Responsible Officials: Management agrees with the finding. This issue was also raised
by the U.S. Department of Labor (DOL), Employment and Training Administration (ETA) in an
enhanced desk monitoring review titled The State of Michigan’s Pandemic Unemployment
Assistance (PUA) and Federal Pandemic Unemployment Compensation (FPUC) programs.
Based on correspondence with U.S. DOL, these findings were deemed resolved with no further
action required due to the significant administrative burden involved in correcting the payment
sequencing. All claimants were paid the proper benefits, but the federal program charged was
incorrect in some instances.
Regarding improvements to the controls to prevent a future issue such as this, along with plans to
dedicate sufficient resources to timely audit new programs for compliance, the Agency has
revised its process for prioritizing and completing necessary system updates. Effective May
2023, Agency Services implemented an SQR prioritization process for the Agency. When an
SQR is opened, it is the responsibility of the applicable division to ensure the request is added to
their division priority list and given a priority score (from one to five with one as the highest
priority). Meetings are held bi-weekly between Agency Services and division representatives to
discuss and review the status of each SQR until the change is migrated to production.
FINDING 2023-059
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-002.
Finding 2023-002
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Various
Type of Finding: Material Noncompliance
Compliance Requirement: Special Tests and Provisions, UI Program Integrity - Overpayments
Known Questioned Costs: None
Repeat Finding: 2022-002
Systemic or Isolated: Systematic
Criteria: States are prohibited from providing relief from charges to an employer’s
unemployment compensation account when the benefit overpayments are the result of the
employer’s failure to respond timely or adequately to a request for information.
Condition: The Agency elected to relieve charges to an employer’s unemployment
compensation account when the benefit payment was the result of the employer’s failure to
respond timely or adequately due to the Covid-19 Pandemic causing unforeseen difficulties for
employers within the State.
Cause: The Agency implemented an SQR to credit the charges that would have typically been
charged to the nonresponsive employer’s unemployment compensation account during the
Covid-19 Pandemic. However, there was an error in the logic of the SQR and certain employers
did not have their charges associated with Covid-19 claims relieved.
Effect: Certain nonresponsive employers incorrectly had their unemployment compensation
account charged for benefits during the Covid-19 Pandemic. The Agency’s policy to provide
relief for employers during the Pandemic was not applied consistently to each employer.
Recommendation: We recommend that the Agency review the logic of the SQR that was
implemented to credit the charges that would have typically been charged to the nonresponsive
employer’s unemployment compensation account during the Covid-19 Pandemic and review the
benefits that were charged to employer accounts throughout the Covid-19 Pandemic to determine
which employers were erroneously charged.
Views of Responsible Officials: Management agrees with the finding. The Agency will perform
an analysis of the employers adversely impacted by subsequent adjudications and will determine
the best course of action to ensure fair and equitable treatment of all employers.
FINDING 2023-060
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-003.
Finding 2023-003
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Affects all grant awards included under ALN
17.225 on the Schedule of Expenditures of Federal Awards
Type of Finding: Material Noncompliance
Compliance Requirement: Special Tests and Provisions, UI Program Integrity – Overpayments
Known Questioned Costs: None
Repeat Finding: 2022-003
Systemic or Isolated: Systemic
Criteria: Offsets of future unemployment compensation payments to recover prior overpayments
are limited to the recovery of the prior overpayment amount in accordance with federal guidance.
Condition: Unapplied offset recoveries attributable to subsequent period adjustments to the
original benefit overpayment were used to recover penalties and interest.
Cause: Due to the continual movement of monies as a result of changes in amounts due resulting
from corrections or appeal decisions, a parameter has not been established in the benefit system
to account for every possible scenario to prevent the allocation of unapplied recoveries to
penalties and interest after overpayment amounts due were satisfied.
Effect: Interest and penalties due under federal and state law were recovered from offsets of
unemployment compensation payments.
Recommendation: We recommend that the Agency add a parameter to the automated system to
ensure adjustments to benefit offsets are only applied to the recovery of prior overpayment
amounts.
Views of Responsible Officials: Management agrees with the finding. The necessary parameter
was previously implemented that prevented the inappropriate allocations on current and
subsequent benefit payment recoveries; however, subsequent reallocations of monies under
specific circumstance caused prior recoupments to improperly reallocate. The Trust Fund
Accounting section will perform a monthly review to confirm that no prior period adjustments
reallocated recoupments to penalty and interest. The review to date has determined that the
adjustment amounts are immaterial. An automated solution does not appear obtainable in the
current system. The Agency is in the process of implementing a new automated system and will
ensure these adjustments are programmed correctly.
FINDING 2023-058
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-001.
Finding 2023-001
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Affects all grant awards included under ALN
17.225 on the Schedule of Expenditures of Federal Awards
Type of Finding: Material Noncompliance and Material Weakness
Compliance Requirement: Allowable Costs/Cost Principles and Eligibility
Known Questioned Costs: Undeterminable
Repeat Finding: 2022-001
Systemic or Isolated: Systemic
Criteria: The federal government set a prescribed claim progression and eligibility requirements
for federal programs resulting from the Coronavirus pandemic. If a claimant is eligible for
regular unemployment compensation, the claimant is ineligible for receiving benefits under the
Pandemic Unemployment Assistance (PUA), Pandemic Emergency Unemployment
Compensation (PEUC), or Extended Benefits (EB) programs. In addition, claimants must
exhaust all rights to benefits under the previous claim type within the progression to become
eligible for the subsequent claim type.
Condition: In certain instances, the benefit system allowed for the payment of benefits under the
PUA, PEUC, and EB programs when claimants were eligible for regular unemployment
compensation or prior to the exhaustion of the previous claim type within the progression.
Cause: Proper controls were not set within the benefit system to ensure proper eligibility and
claim progression.
Effect: Payments of benefits under federal programs have no net effect on the net position of the
Fund since the expenditure is offset by a reimbursing federal revenue, whereas payments under
regular unemployment compensation reduce the net position of the Fund. Additionally,
improper payments of benefits under federal programs create unallowed federal costs.
Recommendation: We recommend that the Agency improve controls in the benefit system to
ensure proper eligibility and claim progression.
Views of Responsible Officials: Management agrees with the finding. This issue was also raised
by the U.S. Department of Labor (DOL), Employment and Training Administration (ETA) in an
enhanced desk monitoring review titled The State of Michigan’s Pandemic Unemployment
Assistance (PUA) and Federal Pandemic Unemployment Compensation (FPUC) programs.
Based on correspondence with U.S. DOL, these findings were deemed resolved with no further
action required due to the significant administrative burden involved in correcting the payment
sequencing. All claimants were paid the proper benefits, but the federal program charged was
incorrect in some instances.
Regarding improvements to the controls to prevent a future issue such as this, along with plans to
dedicate sufficient resources to timely audit new programs for compliance, the Agency has
revised its process for prioritizing and completing necessary system updates. Effective May
2023, Agency Services implemented an SQR prioritization process for the Agency. When an
SQR is opened, it is the responsibility of the applicable division to ensure the request is added to
their division priority list and given a priority score (from one to five with one as the highest
priority). Meetings are held bi-weekly between Agency Services and division representatives to
discuss and review the status of each SQR until the change is migrated to production.
FINDING 2023-059
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-002.
Finding 2023-002
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Various
Type of Finding: Material Noncompliance
Compliance Requirement: Special Tests and Provisions, UI Program Integrity - Overpayments
Known Questioned Costs: None
Repeat Finding: 2022-002
Systemic or Isolated: Systematic
Criteria: States are prohibited from providing relief from charges to an employer’s
unemployment compensation account when the benefit overpayments are the result of the
employer’s failure to respond timely or adequately to a request for information.
Condition: The Agency elected to relieve charges to an employer’s unemployment
compensation account when the benefit payment was the result of the employer’s failure to
respond timely or adequately due to the Covid-19 Pandemic causing unforeseen difficulties for
employers within the State.
Cause: The Agency implemented an SQR to credit the charges that would have typically been
charged to the nonresponsive employer’s unemployment compensation account during the
Covid-19 Pandemic. However, there was an error in the logic of the SQR and certain employers
did not have their charges associated with Covid-19 claims relieved.
Effect: Certain nonresponsive employers incorrectly had their unemployment compensation
account charged for benefits during the Covid-19 Pandemic. The Agency’s policy to provide
relief for employers during the Pandemic was not applied consistently to each employer.
Recommendation: We recommend that the Agency review the logic of the SQR that was
implemented to credit the charges that would have typically been charged to the nonresponsive
employer’s unemployment compensation account during the Covid-19 Pandemic and review the
benefits that were charged to employer accounts throughout the Covid-19 Pandemic to determine
which employers were erroneously charged.
Views of Responsible Officials: Management agrees with the finding. The Agency will perform
an analysis of the employers adversely impacted by subsequent adjudications and will determine
the best course of action to ensure fair and equitable treatment of all employers.
FINDING 2023-060
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-003.
Finding 2023-003
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Affects all grant awards included under ALN
17.225 on the Schedule of Expenditures of Federal Awards
Type of Finding: Material Noncompliance
Compliance Requirement: Special Tests and Provisions, UI Program Integrity – Overpayments
Known Questioned Costs: None
Repeat Finding: 2022-003
Systemic or Isolated: Systemic
Criteria: Offsets of future unemployment compensation payments to recover prior overpayments
are limited to the recovery of the prior overpayment amount in accordance with federal guidance.
Condition: Unapplied offset recoveries attributable to subsequent period adjustments to the
original benefit overpayment were used to recover penalties and interest.
Cause: Due to the continual movement of monies as a result of changes in amounts due resulting
from corrections or appeal decisions, a parameter has not been established in the benefit system
to account for every possible scenario to prevent the allocation of unapplied recoveries to
penalties and interest after overpayment amounts due were satisfied.
Effect: Interest and penalties due under federal and state law were recovered from offsets of
unemployment compensation payments.
Recommendation: We recommend that the Agency add a parameter to the automated system to
ensure adjustments to benefit offsets are only applied to the recovery of prior overpayment
amounts.
Views of Responsible Officials: Management agrees with the finding. The necessary parameter
was previously implemented that prevented the inappropriate allocations on current and
subsequent benefit payment recoveries; however, subsequent reallocations of monies under
specific circumstance caused prior recoupments to improperly reallocate. The Trust Fund
Accounting section will perform a monthly review to confirm that no prior period adjustments
reallocated recoupments to penalty and interest. The review to date has determined that the
adjustment amounts are immaterial. An automated solution does not appear obtainable in the
current system. The Agency is in the process of implementing a new automated system and will
ensure these adjustments are programmed correctly.
FINDING 2023-058
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-001.
Finding 2023-001
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Affects all grant awards included under ALN
17.225 on the Schedule of Expenditures of Federal Awards
Type of Finding: Material Noncompliance and Material Weakness
Compliance Requirement: Allowable Costs/Cost Principles and Eligibility
Known Questioned Costs: Undeterminable
Repeat Finding: 2022-001
Systemic or Isolated: Systemic
Criteria: The federal government set a prescribed claim progression and eligibility requirements
for federal programs resulting from the Coronavirus pandemic. If a claimant is eligible for
regular unemployment compensation, the claimant is ineligible for receiving benefits under the
Pandemic Unemployment Assistance (PUA), Pandemic Emergency Unemployment
Compensation (PEUC), or Extended Benefits (EB) programs. In addition, claimants must
exhaust all rights to benefits under the previous claim type within the progression to become
eligible for the subsequent claim type.
Condition: In certain instances, the benefit system allowed for the payment of benefits under the
PUA, PEUC, and EB programs when claimants were eligible for regular unemployment
compensation or prior to the exhaustion of the previous claim type within the progression.
Cause: Proper controls were not set within the benefit system to ensure proper eligibility and
claim progression.
Effect: Payments of benefits under federal programs have no net effect on the net position of the
Fund since the expenditure is offset by a reimbursing federal revenue, whereas payments under
regular unemployment compensation reduce the net position of the Fund. Additionally,
improper payments of benefits under federal programs create unallowed federal costs.
Recommendation: We recommend that the Agency improve controls in the benefit system to
ensure proper eligibility and claim progression.
Views of Responsible Officials: Management agrees with the finding. This issue was also raised
by the U.S. Department of Labor (DOL), Employment and Training Administration (ETA) in an
enhanced desk monitoring review titled The State of Michigan’s Pandemic Unemployment
Assistance (PUA) and Federal Pandemic Unemployment Compensation (FPUC) programs.
Based on correspondence with U.S. DOL, these findings were deemed resolved with no further
action required due to the significant administrative burden involved in correcting the payment
sequencing. All claimants were paid the proper benefits, but the federal program charged was
incorrect in some instances.
Regarding improvements to the controls to prevent a future issue such as this, along with plans to
dedicate sufficient resources to timely audit new programs for compliance, the Agency has
revised its process for prioritizing and completing necessary system updates. Effective May
2023, Agency Services implemented an SQR prioritization process for the Agency. When an
SQR is opened, it is the responsibility of the applicable division to ensure the request is added to
their division priority list and given a priority score (from one to five with one as the highest
priority). Meetings are held bi-weekly between Agency Services and division representatives to
discuss and review the status of each SQR until the change is migrated to production.
FINDING 2023-059
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-002.
Finding 2023-002
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Various
Type of Finding: Material Noncompliance
Compliance Requirement: Special Tests and Provisions, UI Program Integrity - Overpayments
Known Questioned Costs: None
Repeat Finding: 2022-002
Systemic or Isolated: Systematic
Criteria: States are prohibited from providing relief from charges to an employer’s
unemployment compensation account when the benefit overpayments are the result of the
employer’s failure to respond timely or adequately to a request for information.
Condition: The Agency elected to relieve charges to an employer’s unemployment
compensation account when the benefit payment was the result of the employer’s failure to
respond timely or adequately due to the Covid-19 Pandemic causing unforeseen difficulties for
employers within the State.
Cause: The Agency implemented an SQR to credit the charges that would have typically been
charged to the nonresponsive employer’s unemployment compensation account during the
Covid-19 Pandemic. However, there was an error in the logic of the SQR and certain employers
did not have their charges associated with Covid-19 claims relieved.
Effect: Certain nonresponsive employers incorrectly had their unemployment compensation
account charged for benefits during the Covid-19 Pandemic. The Agency’s policy to provide
relief for employers during the Pandemic was not applied consistently to each employer.
Recommendation: We recommend that the Agency review the logic of the SQR that was
implemented to credit the charges that would have typically been charged to the nonresponsive
employer’s unemployment compensation account during the Covid-19 Pandemic and review the
benefits that were charged to employer accounts throughout the Covid-19 Pandemic to determine
which employers were erroneously charged.
Views of Responsible Officials: Management agrees with the finding. The Agency will perform
an analysis of the employers adversely impacted by subsequent adjudications and will determine
the best course of action to ensure fair and equitable treatment of all employers.
FINDING 2023-060
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2023, Finding 2023-003.
Finding 2023-003
Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment
Insurance – 17.225
Federal Award Identification Number and Year: Affects all grant awards included under ALN
17.225 on the Schedule of Expenditures of Federal Awards
Type of Finding: Material Noncompliance
Compliance Requirement: Special Tests and Provisions, UI Program Integrity – Overpayments
Known Questioned Costs: None
Repeat Finding: 2022-003
Systemic or Isolated: Systemic
Criteria: Offsets of future unemployment compensation payments to recover prior overpayments
are limited to the recovery of the prior overpayment amount in accordance with federal guidance.
Condition: Unapplied offset recoveries attributable to subsequent period adjustments to the
original benefit overpayment were used to recover penalties and interest.
Cause: Due to the continual movement of monies as a result of changes in amounts due resulting
from corrections or appeal decisions, a parameter has not been established in the benefit system
to account for every possible scenario to prevent the allocation of unapplied recoveries to
penalties and interest after overpayment amounts due were satisfied.
Effect: Interest and penalties due under federal and state law were recovered from offsets of
unemployment compensation payments.
Recommendation: We recommend that the Agency add a parameter to the automated system to
ensure adjustments to benefit offsets are only applied to the recovery of prior overpayment
amounts.
Views of Responsible Officials: Management agrees with the finding. The necessary parameter
was previously implemented that prevented the inappropriate allocations on current and
subsequent benefit payment recoveries; however, subsequent reallocations of monies under
specific circumstance caused prior recoupments to improperly reallocate. The Trust Fund
Accounting section will perform a monthly review to confirm that no prior period adjustments
reallocated recoupments to penalty and interest. The review to date has determined that the
adjustment amounts are immaterial. An automated solution does not appear obtainable in the
current system. The Agency is in the process of implementing a new automated system and will
ensure these adjustments are programmed correctly.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-026
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Period of Performance - Grant Reimbursement Approval Procedures
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Environment, Great Lakes, and Energy (EGLE) did not review and approve drinking water and clean water grant reimbursement requests for 1 of 8 sampled payments to ensure the requests are reasonable and appropriate.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards.
Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program.
Cause
EGLE informed us it determined instances where for a singular grant, it did not follow the established process for reviewing and approving reimbursement requests.
Effect
EGLE could potentially reimburse for ineligible project expenditures. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend EGLE review and approve drinking water and clean water grant reimbursement requests to ensure the requests are reasonable and appropriate.
Management Views
EGLE agrees with the finding.
FINDING 2023-027
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Period of Performance - Insufficient Respite Payment Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not have sufficient controls in place to prevent or detect and correct payment errors made to respite grant recipients. We noted MDHHS did not review and approve respite grant payments subsequent to input into the Medical Services Administration Manual Payment System. Our review disclosed MDHHS issued duplicated payments to two recipients.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program.
Cause
MDHHS informed us limited staff resources contributed to the lack of reviews and approvals of the respite grant payments.
Effect
The deficiencies could potentially result in improper payments to recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS improve its controls to prevent or detect and correct payment errors made to respite grant recipients.
Management Views
MDHHS agrees with the finding.
FINDING 2023-028
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Procurement and Suspension and Debarment - Lack of Required Contract Provisions
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DTMB did not include all applicable required provisions in 1 (4%) of 23 sampled contracts executed during fiscal year 2023.
Criteria
Federal regulation 2 CFR 200.327 states the nonfederal entity's contracts must contain the applicable provisions described in Appendix II to Part 200. Appendix II to Part 200 states, in addition to other provisions required by the federal agency or nonfederal entity, all contracts made by the nonfederal entity must contain provisions covering the provisions in Appendix II as applicable.
Cause
DTMB informed us the noncompliant contract was due to the utilization of an existing competitively bid contract in which the project was initially funded with nonfederal funding. DTMB stated funding source changes are not typical; when the project funding was revised, an error was made in not ensuring it included the necessary provisions.
Effect
The contractor may not comply with the required federal provisions because the State did not include the provisions in the contract. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend that DTMB include all applicable required provisions in contracts of federal awards.
Management Views
DTMB agrees with the finding.
FINDING 2023-029
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Procurement and Suspension and Debarment - Suspension and Debarment Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not have an adequate process to ensure the Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) subrecipients were not suspended or debarred prior to its plans to enter into grant agreements for 3 of the 5 sampled subrecipients.
Criteria
Federal regulation 2 CFR 180.300 requires when MDE enters into a covered transaction with a subrecipient with whom it plans to do business, it must verify that the subrecipient is not suspended or debarred. This can be accomplished by checking the federal website, collecting a certification, or adding a clause or condition to the covered transaction agreement.
Cause
For 2 subrecipients, MDE believes the reference to the entire Uniform Guidance (federal regulation 2 CFR 200) in the grant agreement constitutes verification the subrecipients are not suspended or debarred; therefore, MDE did not add a specific suspension or debarment clause or cite the specific suspension and debarment regulation (federal regulation 2 CFR 200.214). For the other subrecipient, MDE informed us its process was not always sufficient to ensure document retention of its verification to the federal website.
Effect
An increased risk exists that MDE could provide grant funds to suspended or debarred subrecipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None. We reviewed the federal website and noted these 3 subrecipients were not suspended or debarred; therefore, we did not question the costs.
Recommendation
We recommend MDE establish an adequate process to ensure CSLFRF subrecipients are not suspended or debarred prior to its plans to enter into grant agreements.
Management Views
MDE agrees with the finding.
FINDING 2023-030
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Reporting - Workfront Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DTMB did not fully establish effective security management and access controls over Workfront. DTMB program staff utilize Workfront to collect and prepare all CSLFRF data reported to the U.S. Department of the Treasury. We noted:
a. DTMB did not maintain documentation to support it approved the system role for all 9 sampled Workfront users.
b. DTMB did not review all privileged accounts on a semiannual basis for Workfront users.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to Workfront.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully establish effective security management and access controls over Workfront.
Management Views
DTMB agrees with the finding.
FINDING 2023-031
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Reporting - Workfront Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DTMB did not fully implement an effective change management process over Workfront. We sampled 4 Workfront change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
DTMB informed us the development team met with program management to discuss the necessary system changes to resolve the identified issues, but it did not maintain documentation of these meetings.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Workfront. As a result, an increased risk exists that DTMB cannot ensure Workfront is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement an effective change management process over Workfront.
Management Views
DTMB agrees with the finding.
FINDING 2023-032
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and MDE did not report to their subrecipients all subaward information as required by the Uniform Guidance. We noted:
a. MDHHS did not report the correct unique entity identifier (UEI) or FAIN for all 4 sampled CSLFRF subrecipients.
b. MDE did not correctly report one or more of the following for 5 of 6 sampled CSLFRF subrecipients: subrecipient name that matches the name associated with its UEI, unique entity identifier, FAIN, and closeout terms and conditions.
Criteria
Federal regulation 2 CFR 200.332(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
For part a., MDHHS informed us because of an oversight, it did not use the correct ALN when determining the FAIN, and the grantee profile contained the Data Universal Numbering System (DUNS) number rather than the UEI.
For part b., MDE informed us because of an oversight, it did not use the appropriately updated grant agreement templates with the correct subaward information for fiscal year 2023.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and MDE report to their subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MDHHS and MDE agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-012
Title I Grants to Local Educational Agencies, ALN 84.010 and Supporting Effective Instruction State Grants, ALN 84.367 - Participation of Private School Children
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not obtain and review the local educational agencies' (LEAsʹ) consultation forms to ensure the LEAs determined the appropriate equitable services provided to private school children for all 17 sampled Title I LEAs and all 20 sampled Supporting Effective Instruction State Grants (SEISG) LEAs.
Criteria
Federal laws 20 USC 6320(a) and 20 USC 7881(a) state LEAs must engage in timely and meaningful consultation with private school officials and provide eligible private school children, their teachers or other educational personnel, and/or their families with equitable services or other benefits under the federal programs. Also, federal laws 20 USC 6320(b) and 20 USC 7881(c) state each LEA shall maintain its own records and provide to the state educational agency a written affirmation signed by the officials of each private school that the meaningful consultation occurred.
MDEʹs written policies require LEAs to submit completed consultation forms in GEMS/MARS for review by the MDE Equitable Services Ombudsman.
Cause
MDEʹs internal control and monitoring activities were not sufficient to ensure it obtained and reviewed the consultation forms. MDE contacted the LEAs and obtained the consultation forms for 13 sampled Title I LEAs and 15 sampled SEISG LEAs subsequent to our review.
Effect
Insufficient review of LEA's consultation forms may result in eligible private school children not receiving the appropriate equitable services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE obtain and review the LEAsʹ consultation forms to ensure the LEAs determined the appropriate equitable services provided to private school children.
Management Views
MDE agrees with the finding.
FINDING 2023-033
Title I Grants to Local Educational Agencies, ALN 84.010, Matching, Level of Effort, and Earmarking - Supplement Not Supplant Monitoring Procedures
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not sufficiently monitor the LEAs to ensure they had a written methodology to demonstrate compliance with supplement not supplant requirements. MDE's process is to perform an annual risk-based approach of over 850 LEAs and then select higher risk LEAs to conduct on-site reviews that include reviews of the LEA's supplement not supplant methodology. We noted MDE performed an on-site review at 1 LEA during fiscal year 2023.
Criteria
Federal law 20 USC 6321(b) states an LEA shall use Title I, Part A funds only to supplement the funds that would be available from state and local sources for the education of students participating in Title I, Part A programs and not to supplant these funds. The U.S. Department of Education's supplement not supplant guidance indicates the state educational agency shall monitor its LEAs to ensure compliance with the requirements of the federal law, which include reviewing an LEA for a compliant methodology for allocating state and local funds.
Cause
MDE informed us system issues and competing priorities impacted its ability to perform on-site reviews.
Effect
LEAs may have improperly utilized federal funds instead of State or local funding for primary services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE sufficiently monitor LEAs to ensure they have written methodologies to demonstrate compliance with supplement not supplant requirements.
Management Views
MDE agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-012
Title I Grants to Local Educational Agencies, ALN 84.010 and Supporting Effective Instruction State Grants, ALN 84.367 - Participation of Private School Children
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not obtain and review the local educational agencies' (LEAsʹ) consultation forms to ensure the LEAs determined the appropriate equitable services provided to private school children for all 17 sampled Title I LEAs and all 20 sampled Supporting Effective Instruction State Grants (SEISG) LEAs.
Criteria
Federal laws 20 USC 6320(a) and 20 USC 7881(a) state LEAs must engage in timely and meaningful consultation with private school officials and provide eligible private school children, their teachers or other educational personnel, and/or their families with equitable services or other benefits under the federal programs. Also, federal laws 20 USC 6320(b) and 20 USC 7881(c) state each LEA shall maintain its own records and provide to the state educational agency a written affirmation signed by the officials of each private school that the meaningful consultation occurred.
MDEʹs written policies require LEAs to submit completed consultation forms in GEMS/MARS for review by the MDE Equitable Services Ombudsman.
Cause
MDEʹs internal control and monitoring activities were not sufficient to ensure it obtained and reviewed the consultation forms. MDE contacted the LEAs and obtained the consultation forms for 13 sampled Title I LEAs and 15 sampled SEISG LEAs subsequent to our review.
Effect
Insufficient review of LEA's consultation forms may result in eligible private school children not receiving the appropriate equitable services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE obtain and review the LEAsʹ consultation forms to ensure the LEAs determined the appropriate equitable services provided to private school children.
Management Views
MDE agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-034
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - Child Care Stabilization Grant
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not have sufficient controls in place to ensure child care stabilization grant funds were used for authorized activities.
Our review of 7 (18%) of 40 sampled child care providers noted the provider's file did not include adequate documentation to support the provider used the grant funds on authorized activities, such as staff bonuses; rent, utilities, facilities, maintenance, and insurance; personal protective equipment; or goods and services.
Criteria
The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers and the providers may use the funds on a variety of key operating expenses, including wages and benefits, rent and utilities, clearing and sanitization supplies and services, and other goods and services necessary to maintain or resume child care services. Also, MDE's written procedures require child care providers to submit documentation, such as itemized receipts or payroll reports, to support they used the grant funds for allowable expenses.
HHS's Administration for Children and Families child care stabilization fund guidance indicates the lead agencies should collect information from the child care providers regarding how they utilized the grant funds.
Cause
MDE's post-payment review process was not sufficient to ensure staff verified the providers submitted adequate documentation to support the use of grant funds.
Effect
We consider this to be a material weakness and material noncompliance because MDE may have not requested repayment of grant funds from child care providers for unallowable activities and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $205,706 - federal share.
Recommendation
We recommend MiLEAP implement sufficient controls to ensure child care stabilization grant funds are used for authorized activities.
Management Views
MiLEAP agrees with the finding.
FINDING 2023-035
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 3 (8%) of the 40 cases we reviewed. Our review disclosed:
a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 2 (5%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services.
b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 1 (3%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits.
Criteria
Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider.
Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan.
Cause
MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered all required verification documentation in the client's case record to support eligibility.
Effect
MDE may have made payments on behalf of ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $127 - federal share.
• $52 - State share of costs MDE inappropriately used as matching.
Recommendation
We recommend MiLEAP and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements.
Management Views
MiLEAP and MDHHS agree with the finding.
FINDING 2023-036
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements
See Schedule of Findings and Questioned Costs for chart/table.
Background
In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2023, LARA was responsible for performing on-site inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period.
Condition
MDE and LARA did not perform timely inspections to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 53 sampled licensed providers for the CCDF Cluster payments disclosed LARA did not ensure timely annual on-site inspections for 8 (15%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection.
Criteria
Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect, under State, local, or tribal law, requirements designed, implemented, and enforced to protect the health and safety of children and provide the minimum health and safety topics applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards.
Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards.
Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations.
Cause
LARA informed us limited resources impacted the timeliness of some inspections.
Effect
MDE and LARA may not have identified the child care providers potential noncompliance with all applicable health and safety requirements in a timely manner, resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP perform timely inspections to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments.
Management Views
LARA and MiLEAP agree with the finding.
FINDING 2023-037
CCDF Cluster, ALN 93.575 and 93.596, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted MDE did not report the unique entity identifier or federal award project description for 1 of 6 sampled CCDF subawards.
Criteria
Federal regulation 45 CFR 75.352(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MiLEAP agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-034
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - Child Care Stabilization Grant
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not have sufficient controls in place to ensure child care stabilization grant funds were used for authorized activities.
Our review of 7 (18%) of 40 sampled child care providers noted the provider's file did not include adequate documentation to support the provider used the grant funds on authorized activities, such as staff bonuses; rent, utilities, facilities, maintenance, and insurance; personal protective equipment; or goods and services.
Criteria
The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers and the providers may use the funds on a variety of key operating expenses, including wages and benefits, rent and utilities, clearing and sanitization supplies and services, and other goods and services necessary to maintain or resume child care services. Also, MDE's written procedures require child care providers to submit documentation, such as itemized receipts or payroll reports, to support they used the grant funds for allowable expenses.
HHS's Administration for Children and Families child care stabilization fund guidance indicates the lead agencies should collect information from the child care providers regarding how they utilized the grant funds.
Cause
MDE's post-payment review process was not sufficient to ensure staff verified the providers submitted adequate documentation to support the use of grant funds.
Effect
We consider this to be a material weakness and material noncompliance because MDE may have not requested repayment of grant funds from child care providers for unallowable activities and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $205,706 - federal share.
Recommendation
We recommend MiLEAP implement sufficient controls to ensure child care stabilization grant funds are used for authorized activities.
Management Views
MiLEAP agrees with the finding.
FINDING 2023-035
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 3 (8%) of the 40 cases we reviewed. Our review disclosed:
a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 2 (5%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services.
b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 1 (3%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits.
Criteria
Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider.
Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan.
Cause
MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered all required verification documentation in the client's case record to support eligibility.
Effect
MDE may have made payments on behalf of ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $127 - federal share.
• $52 - State share of costs MDE inappropriately used as matching.
Recommendation
We recommend MiLEAP and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements.
Management Views
MiLEAP and MDHHS agree with the finding.
FINDING 2023-036
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements
See Schedule of Findings and Questioned Costs for chart/table.
Background
In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2023, LARA was responsible for performing on-site inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period.
Condition
MDE and LARA did not perform timely inspections to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 53 sampled licensed providers for the CCDF Cluster payments disclosed LARA did not ensure timely annual on-site inspections for 8 (15%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection.
Criteria
Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect, under State, local, or tribal law, requirements designed, implemented, and enforced to protect the health and safety of children and provide the minimum health and safety topics applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards.
Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards.
Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations.
Cause
LARA informed us limited resources impacted the timeliness of some inspections.
Effect
MDE and LARA may not have identified the child care providers potential noncompliance with all applicable health and safety requirements in a timely manner, resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP perform timely inspections to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments.
Management Views
LARA and MiLEAP agree with the finding.
FINDING 2023-037
CCDF Cluster, ALN 93.575 and 93.596, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted MDE did not report the unique entity identifier or federal award project description for 1 of 6 sampled CCDF subawards.
Criteria
Federal regulation 45 CFR 75.352(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MiLEAP agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-034
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - Child Care Stabilization Grant
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not have sufficient controls in place to ensure child care stabilization grant funds were used for authorized activities.
Our review of 7 (18%) of 40 sampled child care providers noted the provider's file did not include adequate documentation to support the provider used the grant funds on authorized activities, such as staff bonuses; rent, utilities, facilities, maintenance, and insurance; personal protective equipment; or goods and services.
Criteria
The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers and the providers may use the funds on a variety of key operating expenses, including wages and benefits, rent and utilities, clearing and sanitization supplies and services, and other goods and services necessary to maintain or resume child care services. Also, MDE's written procedures require child care providers to submit documentation, such as itemized receipts or payroll reports, to support they used the grant funds for allowable expenses.
HHS's Administration for Children and Families child care stabilization fund guidance indicates the lead agencies should collect information from the child care providers regarding how they utilized the grant funds.
Cause
MDE's post-payment review process was not sufficient to ensure staff verified the providers submitted adequate documentation to support the use of grant funds.
Effect
We consider this to be a material weakness and material noncompliance because MDE may have not requested repayment of grant funds from child care providers for unallowable activities and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $205,706 - federal share.
Recommendation
We recommend MiLEAP implement sufficient controls to ensure child care stabilization grant funds are used for authorized activities.
Management Views
MiLEAP agrees with the finding.
FINDING 2023-035
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 3 (8%) of the 40 cases we reviewed. Our review disclosed:
a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 2 (5%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services.
b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 1 (3%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits.
Criteria
Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider.
Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan.
Cause
MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered all required verification documentation in the client's case record to support eligibility.
Effect
MDE may have made payments on behalf of ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $127 - federal share.
• $52 - State share of costs MDE inappropriately used as matching.
Recommendation
We recommend MiLEAP and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements.
Management Views
MiLEAP and MDHHS agree with the finding.
FINDING 2023-036
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements
See Schedule of Findings and Questioned Costs for chart/table.
Background
In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2023, LARA was responsible for performing on-site inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period.
Condition
MDE and LARA did not perform timely inspections to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 53 sampled licensed providers for the CCDF Cluster payments disclosed LARA did not ensure timely annual on-site inspections for 8 (15%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection.
Criteria
Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect, under State, local, or tribal law, requirements designed, implemented, and enforced to protect the health and safety of children and provide the minimum health and safety topics applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards.
Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards.
Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations.
Cause
LARA informed us limited resources impacted the timeliness of some inspections.
Effect
MDE and LARA may not have identified the child care providers potential noncompliance with all applicable health and safety requirements in a timely manner, resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP perform timely inspections to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments.
Management Views
LARA and MiLEAP agree with the finding.
FINDING 2023-037
CCDF Cluster, ALN 93.575 and 93.596, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted MDE did not report the unique entity identifier or federal award project description for 1 of 6 sampled CCDF subawards.
Criteria
Federal regulation 45 CFR 75.352(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MiLEAP agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-006
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); and Next Generation Grant, Application and Cash Management System (NexSys). We noted:
a. MDE did not consistently follow its established policies and procedures over the granting of access to MiND and NexSys:
(1) MDE did not maintain documentation to support the appropriate individual approved the system role for 6 (24%) of 25 sampled MiND users.
(2) Of the 47 sampled NexSys forms reviewed, 19 forms related to replacing an existing user and we noted for 1 (5%) of these users MDE did not deactivate the existing users' accounts. Also, MDE did not obtain proper approval prior to granting access for 1 of 6 sampled NexSys grant unit users. In addition, MDE did not properly authorize 2 of 9 sampled NexSys users with incompatible roles.
b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys.
c. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for MEGS+, GEMS/MARS, and NexSys.
(2) MDE did not always ensure the subrecipients* certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
d. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2023 as noted below: See Schedule of Findings and Questioned Costs for chart/table.
e. MDE did not timely review 2 of the 4 quarterly MEGS+ high-risk transactionsʹ review sheets.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. MDE's process also requires quarterly reviews of MEGS+ high risk transactions.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-007
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys.
We sampled 24 MiND and 10 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-010
MDE, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not ensure it reported or accurately and timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDE did not report any subaward information for 7 (4%) of 171 sampled subawards.
b. Of the 164 subawards in FFATA Subaward Reporting System (FSRS):
(1) MDE did not timely submit subaward information for 150 (91%) sampled subawards.
(2) MDE did not submit the correct amount for 24 (15%) sampled subawards.
(3) MDE did not report all key data elements for 39 (24%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE's FFATA preparation process was not designed to include data from all systems used to make awards to subrecipients. MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds expended by MDE. As a result, historical data is unavailable in FSRS.
Effect
MDE grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the CCDF Cluster because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDE ensure it reports or accurately and timely reports all subaward information as required by FFATA and federal guidance.
Management Views
MDE and the Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) agree with the finding.
FINDING 2023-034
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - Child Care Stabilization Grant
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not have sufficient controls in place to ensure child care stabilization grant funds were used for authorized activities.
Our review of 7 (18%) of 40 sampled child care providers noted the provider's file did not include adequate documentation to support the provider used the grant funds on authorized activities, such as staff bonuses; rent, utilities, facilities, maintenance, and insurance; personal protective equipment; or goods and services.
Criteria
The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers and the providers may use the funds on a variety of key operating expenses, including wages and benefits, rent and utilities, clearing and sanitization supplies and services, and other goods and services necessary to maintain or resume child care services. Also, MDE's written procedures require child care providers to submit documentation, such as itemized receipts or payroll reports, to support they used the grant funds for allowable expenses.
HHS's Administration for Children and Families child care stabilization fund guidance indicates the lead agencies should collect information from the child care providers regarding how they utilized the grant funds.
Cause
MDE's post-payment review process was not sufficient to ensure staff verified the providers submitted adequate documentation to support the use of grant funds.
Effect
We consider this to be a material weakness and material noncompliance because MDE may have not requested repayment of grant funds from child care providers for unallowable activities and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $205,706 - federal share.
Recommendation
We recommend MiLEAP implement sufficient controls to ensure child care stabilization grant funds are used for authorized activities.
Management Views
MiLEAP agrees with the finding.
FINDING 2023-035
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 3 (8%) of the 40 cases we reviewed. Our review disclosed:
a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 2 (5%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services.
b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 1 (3%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits.
Criteria
Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider.
Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan.
Cause
MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered all required verification documentation in the client's case record to support eligibility.
Effect
MDE may have made payments on behalf of ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $127 - federal share.
• $52 - State share of costs MDE inappropriately used as matching.
Recommendation
We recommend MiLEAP and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements.
Management Views
MiLEAP and MDHHS agree with the finding.
FINDING 2023-036
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements
See Schedule of Findings and Questioned Costs for chart/table.
Background
In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2023, LARA was responsible for performing on-site inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period.
Condition
MDE and LARA did not perform timely inspections to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 53 sampled licensed providers for the CCDF Cluster payments disclosed LARA did not ensure timely annual on-site inspections for 8 (15%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection.
Criteria
Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect, under State, local, or tribal law, requirements designed, implemented, and enforced to protect the health and safety of children and provide the minimum health and safety topics applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards.
Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards.
Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations.
Cause
LARA informed us limited resources impacted the timeliness of some inspections.
Effect
MDE and LARA may not have identified the child care providers potential noncompliance with all applicable health and safety requirements in a timely manner, resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP perform timely inspections to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments.
Management Views
LARA and MiLEAP agree with the finding.
FINDING 2023-037
CCDF Cluster, ALN 93.575 and 93.596, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted MDE did not report the unique entity identifier or federal award project description for 1 of 6 sampled CCDF subawards.
Criteria
Federal regulation 45 CFR 75.352(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MiLEAP agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-005
CHAMPS General Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is a medical assistance claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems* contained potentially vulnerable database configurations.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
Cause
DTMB informed us that competing priorities and the need for additional time to review the impact of implementing the tailored configurations, due to the change management process, delayed the implementation of tailored configuration recommendations.
Effect
Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database.
Management Views
Although MDHHS and DTMB delayed the implementation of SOM tailored configurations, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data.
DTMB has implemented and continues to implement the manufacturer's recommendations regarding security configurations and performs regular database and operating system patching. Additionally, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards.
Auditor's Comments to Management Views
We determined, and DTMB and MDHHS acknowledged, they did not fully implement the tailored configurations; therefore, the potential vulnerabilities and security risk still exist.
The finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Background
In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP.
Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. These continuous enrollment conditions ended March 31, 2023 with the passage of the Consolidated Appropriations Act of 2023, and states were required to initiate all redeterminations within a 12-month unwinding period. MDHHS began initiating redeterminations in June 2023. We sampled beneficiaries for each program who either had a benefit period which started during fiscal year 2023 or who had a benefit period which started prior to fiscal year 2023 and had a redetermination during the months of June through September 2023.
We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table.
For an estimated 22,428 Medicaid and 8,520 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested.
The results of the testing for the remaining 59 Medicaid and 56 CHIP beneficiaries we were able to review are summarized in the finding below.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 5 (8%) of 59 Medicaid and 12 (21%) of 56 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 59 Medicaid and 1 (2%) of 56 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 2 (3%) of 59 Medicaid and 4 (7%) of 56 CHIP cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulations 42 CFR 435.912(c) and 42 CFR 457.340(d) require MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
Cause
For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions.
For part b., MDHHS indicated the missing documentation resulted from staff oversight.
For part c., MDHHS indicated limited staff resources and a significantly higher number of renewals due to the Public Health Emergency affected its ability to determine beneficiary eligibility within the required time frame.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 10% Medicaid and 29% CHIP unduplicated error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $2,211 - federal share.
• $762 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $33.4 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2023.
However, we selected a sample of 3 beneficiaries that were transferred to CHIP and noted that 1 of 3 beneficiaries was not eligible for CHIP but was in fact Medicaid eligible and, therefore, should not have been transferred.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, one case was transferred in error.
Effect
MDHHS inappropriately transferred $133 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Also, of the $33.4 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $33.4 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 11% of total CHIP expenditures.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $89 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $89 is questioned in Finding 2023-013.
• $45 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-015
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates that interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2023-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure that disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware that new disclosures are required. In addition, MDHHS relies on the entities to inform them when ownership changes occur. Also, limited staff resources resulted in the MI Choice entitiesʹ network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2023-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $103,627 of the federal share of overpayments.
b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the second quarter of fiscal year 2023.
c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording 2 (8%) of 25 sampled Medicaid overpayments on the incorrect CMS-64 line.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
MDHHS informed us system issues contributed to the untimely and inaccurate reporting of overpayments.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report.
Management Views
MDHHS agrees with the finding.
FINDING 2023-018
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 7 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not incorporate the necessary adjustments to the MLR report template for all managed care entities to report their comparison of the amounts reported in the MLR calculation with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2023-019
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit was completed and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2023.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, because of the audit activity time frames outlined within the scope of the contract, not all audit activities were completed during fiscal year 2023.
Effect
Failure to ensure the accuracy of data could affect the capitation rates that are developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2023-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $1,058 for 8 (27%) of 30 payments sampled from a $1,620,411 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs exceed $25,000.
• $945 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $113 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2023-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $183, for 3 (20%) of 15 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 135, effective through January 31, 2023, prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 140, effective February 1, 2023, prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Sections 135 and 140 allow payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $183 from October 1, 2022 through September 30, 2023 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $128 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $55 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2023-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $328,942 for 5,003 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. The overall solution is more complex than originally estimated and completing public health emergency unwind-related priorities took precedence, causing further delay in implementation.
Effect
MDHHS made improper FFS practitioner payments of $328,942 from October 1, 2022 through September 30, 2023. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $236,969 - federal share of improper payments made to providers from October 1, 2022 through September 30, 2023.
• $91,973 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2023-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer the Medicaid Cluster. We reviewed 5 significant systems and noted:
a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2023, such as annual review and testing of the plan.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 2 systems during fiscal year 2023, including not updating the risk assessment which resulted in the expiration of the authority to operate (ATO) for both systems.
Criteria
Federal regulation 45 CFR 95.621 makes state agencies responsible for security of information systems used to administer federal programs. In part, the regulation requires state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer the Medicaid Cluster.
Management Views
MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with part b. of the finding.
For part b., although MDHHS agrees that system security plans were not updated timely for the systems cited and the authority to operate expired for both systems, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above.
MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate. The ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate effectiveness of controls.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The other system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the two systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-005
CHAMPS General Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is a medical assistance claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems* contained potentially vulnerable database configurations.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
Cause
DTMB informed us that competing priorities and the need for additional time to review the impact of implementing the tailored configurations, due to the change management process, delayed the implementation of tailored configuration recommendations.
Effect
Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database.
Management Views
Although MDHHS and DTMB delayed the implementation of SOM tailored configurations, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data.
DTMB has implemented and continues to implement the manufacturer's recommendations regarding security configurations and performs regular database and operating system patching. Additionally, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards.
Auditor's Comments to Management Views
We determined, and DTMB and MDHHS acknowledged, they did not fully implement the tailored configurations; therefore, the potential vulnerabilities and security risk still exist.
The finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Background
In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP.
Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. These continuous enrollment conditions ended March 31, 2023 with the passage of the Consolidated Appropriations Act of 2023, and states were required to initiate all redeterminations within a 12-month unwinding period. MDHHS began initiating redeterminations in June 2023. We sampled beneficiaries for each program who either had a benefit period which started during fiscal year 2023 or who had a benefit period which started prior to fiscal year 2023 and had a redetermination during the months of June through September 2023.
We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table.
For an estimated 22,428 Medicaid and 8,520 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested.
The results of the testing for the remaining 59 Medicaid and 56 CHIP beneficiaries we were able to review are summarized in the finding below.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 5 (8%) of 59 Medicaid and 12 (21%) of 56 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 59 Medicaid and 1 (2%) of 56 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 2 (3%) of 59 Medicaid and 4 (7%) of 56 CHIP cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulations 42 CFR 435.912(c) and 42 CFR 457.340(d) require MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
Cause
For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions.
For part b., MDHHS indicated the missing documentation resulted from staff oversight.
For part c., MDHHS indicated limited staff resources and a significantly higher number of renewals due to the Public Health Emergency affected its ability to determine beneficiary eligibility within the required time frame.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 10% Medicaid and 29% CHIP unduplicated error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $2,211 - federal share.
• $762 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $33.4 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2023.
However, we selected a sample of 3 beneficiaries that were transferred to CHIP and noted that 1 of 3 beneficiaries was not eligible for CHIP but was in fact Medicaid eligible and, therefore, should not have been transferred.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, one case was transferred in error.
Effect
MDHHS inappropriately transferred $133 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Also, of the $33.4 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $33.4 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 11% of total CHIP expenditures.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $89 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $89 is questioned in Finding 2023-013.
• $45 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-015
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates that interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2023-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure that disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware that new disclosures are required. In addition, MDHHS relies on the entities to inform them when ownership changes occur. Also, limited staff resources resulted in the MI Choice entitiesʹ network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2023-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $103,627 of the federal share of overpayments.
b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the second quarter of fiscal year 2023.
c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording 2 (8%) of 25 sampled Medicaid overpayments on the incorrect CMS-64 line.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
MDHHS informed us system issues contributed to the untimely and inaccurate reporting of overpayments.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report.
Management Views
MDHHS agrees with the finding.
FINDING 2023-018
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 7 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not incorporate the necessary adjustments to the MLR report template for all managed care entities to report their comparison of the amounts reported in the MLR calculation with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2023-019
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit was completed and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2023.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, because of the audit activity time frames outlined within the scope of the contract, not all audit activities were completed during fiscal year 2023.
Effect
Failure to ensure the accuracy of data could affect the capitation rates that are developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2023-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $1,058 for 8 (27%) of 30 payments sampled from a $1,620,411 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs exceed $25,000.
• $945 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $113 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2023-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $183, for 3 (20%) of 15 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 135, effective through January 31, 2023, prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 140, effective February 1, 2023, prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Sections 135 and 140 allow payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $183 from October 1, 2022 through September 30, 2023 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $128 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $55 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2023-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $328,942 for 5,003 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. The overall solution is more complex than originally estimated and completing public health emergency unwind-related priorities took precedence, causing further delay in implementation.
Effect
MDHHS made improper FFS practitioner payments of $328,942 from October 1, 2022 through September 30, 2023. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $236,969 - federal share of improper payments made to providers from October 1, 2022 through September 30, 2023.
• $91,973 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2023-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer the Medicaid Cluster. We reviewed 5 significant systems and noted:
a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2023, such as annual review and testing of the plan.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 2 systems during fiscal year 2023, including not updating the risk assessment which resulted in the expiration of the authority to operate (ATO) for both systems.
Criteria
Federal regulation 45 CFR 95.621 makes state agencies responsible for security of information systems used to administer federal programs. In part, the regulation requires state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer the Medicaid Cluster.
Management Views
MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with part b. of the finding.
For part b., although MDHHS agrees that system security plans were not updated timely for the systems cited and the authority to operate expired for both systems, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above.
MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate. The ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate effectiveness of controls.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The other system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the two systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-005
CHAMPS General Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is a medical assistance claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems* contained potentially vulnerable database configurations.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
Cause
DTMB informed us that competing priorities and the need for additional time to review the impact of implementing the tailored configurations, due to the change management process, delayed the implementation of tailored configuration recommendations.
Effect
Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database.
Management Views
Although MDHHS and DTMB delayed the implementation of SOM tailored configurations, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data.
DTMB has implemented and continues to implement the manufacturer's recommendations regarding security configurations and performs regular database and operating system patching. Additionally, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards.
Auditor's Comments to Management Views
We determined, and DTMB and MDHHS acknowledged, they did not fully implement the tailored configurations; therefore, the potential vulnerabilities and security risk still exist.
The finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Background
In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP.
Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. These continuous enrollment conditions ended March 31, 2023 with the passage of the Consolidated Appropriations Act of 2023, and states were required to initiate all redeterminations within a 12-month unwinding period. MDHHS began initiating redeterminations in June 2023. We sampled beneficiaries for each program who either had a benefit period which started during fiscal year 2023 or who had a benefit period which started prior to fiscal year 2023 and had a redetermination during the months of June through September 2023.
We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table.
For an estimated 22,428 Medicaid and 8,520 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested.
The results of the testing for the remaining 59 Medicaid and 56 CHIP beneficiaries we were able to review are summarized in the finding below.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 5 (8%) of 59 Medicaid and 12 (21%) of 56 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 59 Medicaid and 1 (2%) of 56 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 2 (3%) of 59 Medicaid and 4 (7%) of 56 CHIP cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulations 42 CFR 435.912(c) and 42 CFR 457.340(d) require MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
Cause
For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions.
For part b., MDHHS indicated the missing documentation resulted from staff oversight.
For part c., MDHHS indicated limited staff resources and a significantly higher number of renewals due to the Public Health Emergency affected its ability to determine beneficiary eligibility within the required time frame.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 10% Medicaid and 29% CHIP unduplicated error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $2,211 - federal share.
• $762 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $33.4 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2023.
However, we selected a sample of 3 beneficiaries that were transferred to CHIP and noted that 1 of 3 beneficiaries was not eligible for CHIP but was in fact Medicaid eligible and, therefore, should not have been transferred.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, one case was transferred in error.
Effect
MDHHS inappropriately transferred $133 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Also, of the $33.4 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $33.4 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 11% of total CHIP expenditures.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $89 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $89 is questioned in Finding 2023-013.
• $45 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-015
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates that interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2023-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure that disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware that new disclosures are required. In addition, MDHHS relies on the entities to inform them when ownership changes occur. Also, limited staff resources resulted in the MI Choice entitiesʹ network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2023-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $103,627 of the federal share of overpayments.
b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the second quarter of fiscal year 2023.
c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording 2 (8%) of 25 sampled Medicaid overpayments on the incorrect CMS-64 line.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
MDHHS informed us system issues contributed to the untimely and inaccurate reporting of overpayments.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report.
Management Views
MDHHS agrees with the finding.
FINDING 2023-018
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 7 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not incorporate the necessary adjustments to the MLR report template for all managed care entities to report their comparison of the amounts reported in the MLR calculation with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2023-019
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit was completed and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2023.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, because of the audit activity time frames outlined within the scope of the contract, not all audit activities were completed during fiscal year 2023.
Effect
Failure to ensure the accuracy of data could affect the capitation rates that are developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2023-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $1,058 for 8 (27%) of 30 payments sampled from a $1,620,411 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs exceed $25,000.
• $945 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $113 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2023-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $183, for 3 (20%) of 15 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 135, effective through January 31, 2023, prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 140, effective February 1, 2023, prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Sections 135 and 140 allow payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $183 from October 1, 2022 through September 30, 2023 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $128 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $55 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2023-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $328,942 for 5,003 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. The overall solution is more complex than originally estimated and completing public health emergency unwind-related priorities took precedence, causing further delay in implementation.
Effect
MDHHS made improper FFS practitioner payments of $328,942 from October 1, 2022 through September 30, 2023. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $236,969 - federal share of improper payments made to providers from October 1, 2022 through September 30, 2023.
• $91,973 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2023-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer the Medicaid Cluster. We reviewed 5 significant systems and noted:
a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2023, such as annual review and testing of the plan.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 2 systems during fiscal year 2023, including not updating the risk assessment which resulted in the expiration of the authority to operate (ATO) for both systems.
Criteria
Federal regulation 45 CFR 95.621 makes state agencies responsible for security of information systems used to administer federal programs. In part, the regulation requires state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer the Medicaid Cluster.
Management Views
MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with part b. of the finding.
For part b., although MDHHS agrees that system security plans were not updated timely for the systems cited and the authority to operate expired for both systems, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above.
MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate. The ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate effectiveness of controls.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The other system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the two systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-005
CHAMPS General Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is a medical assistance claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems* contained potentially vulnerable database configurations.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
Cause
DTMB informed us that competing priorities and the need for additional time to review the impact of implementing the tailored configurations, due to the change management process, delayed the implementation of tailored configuration recommendations.
Effect
Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database.
Management Views
Although MDHHS and DTMB delayed the implementation of SOM tailored configurations, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data.
DTMB has implemented and continues to implement the manufacturer's recommendations regarding security configurations and performs regular database and operating system patching. Additionally, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards.
Auditor's Comments to Management Views
We determined, and DTMB and MDHHS acknowledged, they did not fully implement the tailored configurations; therefore, the potential vulnerabilities and security risk still exist.
The finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Background
In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP.
Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. These continuous enrollment conditions ended March 31, 2023 with the passage of the Consolidated Appropriations Act of 2023, and states were required to initiate all redeterminations within a 12-month unwinding period. MDHHS began initiating redeterminations in June 2023. We sampled beneficiaries for each program who either had a benefit period which started during fiscal year 2023 or who had a benefit period which started prior to fiscal year 2023 and had a redetermination during the months of June through September 2023.
We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table.
For an estimated 22,428 Medicaid and 8,520 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested.
The results of the testing for the remaining 59 Medicaid and 56 CHIP beneficiaries we were able to review are summarized in the finding below.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 5 (8%) of 59 Medicaid and 12 (21%) of 56 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 59 Medicaid and 1 (2%) of 56 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 2 (3%) of 59 Medicaid and 4 (7%) of 56 CHIP cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulations 42 CFR 435.912(c) and 42 CFR 457.340(d) require MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
Cause
For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions.
For part b., MDHHS indicated the missing documentation resulted from staff oversight.
For part c., MDHHS indicated limited staff resources and a significantly higher number of renewals due to the Public Health Emergency affected its ability to determine beneficiary eligibility within the required time frame.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 10% Medicaid and 29% CHIP unduplicated error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $2,211 - federal share.
• $762 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $33.4 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2023.
However, we selected a sample of 3 beneficiaries that were transferred to CHIP and noted that 1 of 3 beneficiaries was not eligible for CHIP but was in fact Medicaid eligible and, therefore, should not have been transferred.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, one case was transferred in error.
Effect
MDHHS inappropriately transferred $133 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Also, of the $33.4 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $33.4 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 11% of total CHIP expenditures.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $89 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $89 is questioned in Finding 2023-013.
• $45 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-015
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates that interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2023-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure that disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware that new disclosures are required. In addition, MDHHS relies on the entities to inform them when ownership changes occur. Also, limited staff resources resulted in the MI Choice entitiesʹ network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2023-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $103,627 of the federal share of overpayments.
b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the second quarter of fiscal year 2023.
c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording 2 (8%) of 25 sampled Medicaid overpayments on the incorrect CMS-64 line.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
MDHHS informed us system issues contributed to the untimely and inaccurate reporting of overpayments.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report.
Management Views
MDHHS agrees with the finding.
FINDING 2023-018
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 7 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not incorporate the necessary adjustments to the MLR report template for all managed care entities to report their comparison of the amounts reported in the MLR calculation with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2023-019
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit was completed and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2023.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, because of the audit activity time frames outlined within the scope of the contract, not all audit activities were completed during fiscal year 2023.
Effect
Failure to ensure the accuracy of data could affect the capitation rates that are developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2023-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $1,058 for 8 (27%) of 30 payments sampled from a $1,620,411 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs exceed $25,000.
• $945 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $113 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2023-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $183, for 3 (20%) of 15 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 135, effective through January 31, 2023, prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 140, effective February 1, 2023, prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Sections 135 and 140 allow payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $183 from October 1, 2022 through September 30, 2023 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $128 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $55 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2023-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $328,942 for 5,003 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. The overall solution is more complex than originally estimated and completing public health emergency unwind-related priorities took precedence, causing further delay in implementation.
Effect
MDHHS made improper FFS practitioner payments of $328,942 from October 1, 2022 through September 30, 2023. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $236,969 - federal share of improper payments made to providers from October 1, 2022 through September 30, 2023.
• $91,973 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2023-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer the Medicaid Cluster. We reviewed 5 significant systems and noted:
a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2023, such as annual review and testing of the plan.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 2 systems during fiscal year 2023, including not updating the risk assessment which resulted in the expiration of the authority to operate (ATO) for both systems.
Criteria
Federal regulation 45 CFR 95.621 makes state agencies responsible for security of information systems used to administer federal programs. In part, the regulation requires state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer the Medicaid Cluster.
Management Views
MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with part b. of the finding.
For part b., although MDHHS agrees that system security plans were not updated timely for the systems cited and the authority to operate expired for both systems, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above.
MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate. The ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate effectiveness of controls.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The other system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the two systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-005
CHAMPS General Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is a medical assistance claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems* contained potentially vulnerable database configurations.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
Cause
DTMB informed us that competing priorities and the need for additional time to review the impact of implementing the tailored configurations, due to the change management process, delayed the implementation of tailored configuration recommendations.
Effect
Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database.
Management Views
Although MDHHS and DTMB delayed the implementation of SOM tailored configurations, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data.
DTMB has implemented and continues to implement the manufacturer's recommendations regarding security configurations and performs regular database and operating system patching. Additionally, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards.
Auditor's Comments to Management Views
We determined, and DTMB and MDHHS acknowledged, they did not fully implement the tailored configurations; therefore, the potential vulnerabilities and security risk still exist.
The finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Background
In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP.
Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. These continuous enrollment conditions ended March 31, 2023 with the passage of the Consolidated Appropriations Act of 2023, and states were required to initiate all redeterminations within a 12-month unwinding period. MDHHS began initiating redeterminations in June 2023. We sampled beneficiaries for each program who either had a benefit period which started during fiscal year 2023 or who had a benefit period which started prior to fiscal year 2023 and had a redetermination during the months of June through September 2023.
We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table.
For an estimated 22,428 Medicaid and 8,520 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested.
The results of the testing for the remaining 59 Medicaid and 56 CHIP beneficiaries we were able to review are summarized in the finding below.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 5 (8%) of 59 Medicaid and 12 (21%) of 56 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 59 Medicaid and 1 (2%) of 56 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 2 (3%) of 59 Medicaid and 4 (7%) of 56 CHIP cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulations 42 CFR 435.912(c) and 42 CFR 457.340(d) require MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
Cause
For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions.
For part b., MDHHS indicated the missing documentation resulted from staff oversight.
For part c., MDHHS indicated limited staff resources and a significantly higher number of renewals due to the Public Health Emergency affected its ability to determine beneficiary eligibility within the required time frame.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 10% Medicaid and 29% CHIP unduplicated error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $2,211 - federal share.
• $762 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $33.4 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2023.
However, we selected a sample of 3 beneficiaries that were transferred to CHIP and noted that 1 of 3 beneficiaries was not eligible for CHIP but was in fact Medicaid eligible and, therefore, should not have been transferred.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, one case was transferred in error.
Effect
MDHHS inappropriately transferred $133 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Also, of the $33.4 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $33.4 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 11% of total CHIP expenditures.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $89 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $89 is questioned in Finding 2023-013.
• $45 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-015
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates that interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2023-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure that disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware that new disclosures are required. In addition, MDHHS relies on the entities to inform them when ownership changes occur. Also, limited staff resources resulted in the MI Choice entitiesʹ network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2023-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $103,627 of the federal share of overpayments.
b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the second quarter of fiscal year 2023.
c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording 2 (8%) of 25 sampled Medicaid overpayments on the incorrect CMS-64 line.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
MDHHS informed us system issues contributed to the untimely and inaccurate reporting of overpayments.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report.
Management Views
MDHHS agrees with the finding.
FINDING 2023-018
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 7 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not incorporate the necessary adjustments to the MLR report template for all managed care entities to report their comparison of the amounts reported in the MLR calculation with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2023-019
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit was completed and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2023.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, because of the audit activity time frames outlined within the scope of the contract, not all audit activities were completed during fiscal year 2023.
Effect
Failure to ensure the accuracy of data could affect the capitation rates that are developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2023-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $1,058 for 8 (27%) of 30 payments sampled from a $1,620,411 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs exceed $25,000.
• $945 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $113 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2023-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $183, for 3 (20%) of 15 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 135, effective through January 31, 2023, prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 140, effective February 1, 2023, prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Sections 135 and 140 allow payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $183 from October 1, 2022 through September 30, 2023 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $128 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $55 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2023-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $328,942 for 5,003 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. The overall solution is more complex than originally estimated and completing public health emergency unwind-related priorities took precedence, causing further delay in implementation.
Effect
MDHHS made improper FFS practitioner payments of $328,942 from October 1, 2022 through September 30, 2023. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $236,969 - federal share of improper payments made to providers from October 1, 2022 through September 30, 2023.
• $91,973 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2023-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer the Medicaid Cluster. We reviewed 5 significant systems and noted:
a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2023, such as annual review and testing of the plan.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 2 systems during fiscal year 2023, including not updating the risk assessment which resulted in the expiration of the authority to operate (ATO) for both systems.
Criteria
Federal regulation 45 CFR 95.621 makes state agencies responsible for security of information systems used to administer federal programs. In part, the regulation requires state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer the Medicaid Cluster.
Management Views
MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with part b. of the finding.
For part b., although MDHHS agrees that system security plans were not updated timely for the systems cited and the authority to operate expired for both systems, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above.
MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate. The ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate effectiveness of controls.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The other system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the two systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-042
Public Health Emergency Preparedness, ALN 93.069, Subrecipient Monitoring - Risk Assessment and During-the-Award Monitoring
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not sufficiently monitor and evaluate the risk of noncompliance with program requirements. We noted:
a. MDHHS did not utilize the risk assessment results to determine the type of monitoring appropriate for all 57 subrecipients.
b. MDHHS did not obtain all required semiannual progress reports for 2 (15%) of 13 sampled subrecipients.
Criteria
Federal regulation 45 CFR 75.352(d) requires MDHHS to monitor the activities of the subrecipient as necessary to ensure the subaward is used for authorized purposes in compliance with federal statutes, regulations, and terms and conditions of the subaward and that subaward performance goals are achieved.
As part of its risk assessment procedures, MDHHS conducts an assessment of all subrecipients to determine the monitoring activities, which may include on-site or desk reviews. In addition, MDHHS monitors the performance of subrecipients through semiannual progress reports.
Cause
MDHHS informed us limited resources and competing priorities contributed to its inability to sufficiently monitor and evaluate subrecipients.
Effect
Insufficient monitoring and evaluation of subrecipients could increase the subrecipients' and MDHHS's noncompliance with federal statutes, regulations, or the terms and conditions of federal awards. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS sufficiently monitor and evaluate the risk of noncompliance with program requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-043
Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - MCIR User Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully establish effective user access controls over the Michigan Care Improvement Registry (MCIR). MCIR serves as the central registry for immunization records in the State, as well as the vaccine inventory management system for providers enrolled in the Vaccines for Children program. We noted MDHHS did not disable 21 (13%) of 158 active MCIR user accounts that had not accessed the application in over 60 days as of September 30, 2023.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires the information system to automatically disable inactive user accounts after 60 days.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MCIR. As a result, an increased risk exists that MDHHS cannot ensure the security of MCIR.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully establish effective user access controls over MCIR.
Management Views
MDHHS agrees with the finding.
FINDING 2023-044
Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - Control, Accountability, and Safeguarding of Vaccine and Record of Immunization
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure compliance site visits for providers enrolled in the Vaccines for Children (VFC) program were conducted in accordance with federal guidelines. We noted:
a. MDHHS did not timely conduct a compliance site visit at least once every 24 months for 24 (60%) of 40 sampled providers. For the 24 providers, the compliance visits were late between 1.7 months and 4.0 years, averaging 1.7 years.
b. MDHHS did not conduct a compliance site visit at least once every 24 months for 1 (3%) of 40 sampled providers. The compliance visit was not complete as of September 30, 2023 and was overdue by 2.0 years.
Criteria
Federal law 42 USC 1396s requires vaccines to be adequately safeguarded and used solely for authorized purposes. The HHS's Centers for Disease Control and Prevention's (CDC's) Vaccines for Children July 2022 and July 2023 Operations Guides state that awardees must conduct and record VFC compliance site visits, covering areas of provider details, eligibility, documentation, storage and handling, and inventory management with each VFC provider every 24 months.
Cause
MDHHS informed us during the COVID-19 pandemic it conducted limited provider site visits, which created a backlog of site visits to complete during fiscal year 2023. Also, MDHHS informed us staff turnover and vacancies at the local health departments contributed to the delay in the site visits.
Effect
MDHHS could not ensure VFC providers adequately safeguarded and used vaccines solely for authorized purposes. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure required compliance site visits for providers enrolled in the VFC program are conducted.
Management Views
MDHHS disagrees with the finding. Site visits did not resume for all VFC providers until the July 1, 2022 through June 30, 2023 review cycle because the CDC allowed jurisdictions to temporarily suspend these visits during the COVID-19 pandemic that ended during May 2023. MDHHS previously reached out to the CDC for clarification on conducting site visits and was informed that site visit activities could be suspended based on COVID-19 activity in MDHHS's jurisdiction and capacity within MDHHS's organization. The site visits identified in the finding were included in the backlog of suspended site visits that MDHHS continued to work through during the audit period.
Auditor's Comments to Management Views
Although the CDC communicated a temporary suspension was permissible, the CDC compliance site visit requirement did not change. Also, the special tests and provisions compliance requirements for Control, Accountability, and Safeguarding of Vaccine and Record of Immunization were subject to audit according to the OMB Compliance Supplement. As the federal grantor agency, the CDC has discretion as to whether penalties will be assessed for noncompliance. However, neither this nor MDHHS's capacity to rectify the backlog and complete the required site visits alleviates our responsibility to report noncompliance under the Uniform Guidance.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-043
Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - MCIR User Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully establish effective user access controls over the Michigan Care Improvement Registry (MCIR). MCIR serves as the central registry for immunization records in the State, as well as the vaccine inventory management system for providers enrolled in the Vaccines for Children program. We noted MDHHS did not disable 21 (13%) of 158 active MCIR user accounts that had not accessed the application in over 60 days as of September 30, 2023.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires the information system to automatically disable inactive user accounts after 60 days.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MCIR. As a result, an increased risk exists that MDHHS cannot ensure the security of MCIR.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully establish effective user access controls over MCIR.
Management Views
MDHHS agrees with the finding.
FINDING 2023-044
Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - Control, Accountability, and Safeguarding of Vaccine and Record of Immunization
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure compliance site visits for providers enrolled in the Vaccines for Children (VFC) program were conducted in accordance with federal guidelines. We noted:
a. MDHHS did not timely conduct a compliance site visit at least once every 24 months for 24 (60%) of 40 sampled providers. For the 24 providers, the compliance visits were late between 1.7 months and 4.0 years, averaging 1.7 years.
b. MDHHS did not conduct a compliance site visit at least once every 24 months for 1 (3%) of 40 sampled providers. The compliance visit was not complete as of September 30, 2023 and was overdue by 2.0 years.
Criteria
Federal law 42 USC 1396s requires vaccines to be adequately safeguarded and used solely for authorized purposes. The HHS's Centers for Disease Control and Prevention's (CDC's) Vaccines for Children July 2022 and July 2023 Operations Guides state that awardees must conduct and record VFC compliance site visits, covering areas of provider details, eligibility, documentation, storage and handling, and inventory management with each VFC provider every 24 months.
Cause
MDHHS informed us during the COVID-19 pandemic it conducted limited provider site visits, which created a backlog of site visits to complete during fiscal year 2023. Also, MDHHS informed us staff turnover and vacancies at the local health departments contributed to the delay in the site visits.
Effect
MDHHS could not ensure VFC providers adequately safeguarded and used vaccines solely for authorized purposes. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure required compliance site visits for providers enrolled in the VFC program are conducted.
Management Views
MDHHS disagrees with the finding. Site visits did not resume for all VFC providers until the July 1, 2022 through June 30, 2023 review cycle because the CDC allowed jurisdictions to temporarily suspend these visits during the COVID-19 pandemic that ended during May 2023. MDHHS previously reached out to the CDC for clarification on conducting site visits and was informed that site visit activities could be suspended based on COVID-19 activity in MDHHS's jurisdiction and capacity within MDHHS's organization. The site visits identified in the finding were included in the backlog of suspended site visits that MDHHS continued to work through during the audit period.
Auditor's Comments to Management Views
Although the CDC communicated a temporary suspension was permissible, the CDC compliance site visit requirement did not change. Also, the special tests and provisions compliance requirements for Control, Accountability, and Safeguarding of Vaccine and Record of Immunization were subject to audit according to the OMB Compliance Supplement. As the federal grantor agency, the CDC has discretion as to whether penalties will be assessed for noncompliance. However, neither this nor MDHHS's capacity to rectify the backlog and complete the required site visits alleviates our responsibility to report noncompliance under the Uniform Guidance.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-043
Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - MCIR User Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully establish effective user access controls over the Michigan Care Improvement Registry (MCIR). MCIR serves as the central registry for immunization records in the State, as well as the vaccine inventory management system for providers enrolled in the Vaccines for Children program. We noted MDHHS did not disable 21 (13%) of 158 active MCIR user accounts that had not accessed the application in over 60 days as of September 30, 2023.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires the information system to automatically disable inactive user accounts after 60 days.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MCIR. As a result, an increased risk exists that MDHHS cannot ensure the security of MCIR.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully establish effective user access controls over MCIR.
Management Views
MDHHS agrees with the finding.
FINDING 2023-044
Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - Control, Accountability, and Safeguarding of Vaccine and Record of Immunization
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure compliance site visits for providers enrolled in the Vaccines for Children (VFC) program were conducted in accordance with federal guidelines. We noted:
a. MDHHS did not timely conduct a compliance site visit at least once every 24 months for 24 (60%) of 40 sampled providers. For the 24 providers, the compliance visits were late between 1.7 months and 4.0 years, averaging 1.7 years.
b. MDHHS did not conduct a compliance site visit at least once every 24 months for 1 (3%) of 40 sampled providers. The compliance visit was not complete as of September 30, 2023 and was overdue by 2.0 years.
Criteria
Federal law 42 USC 1396s requires vaccines to be adequately safeguarded and used solely for authorized purposes. The HHS's Centers for Disease Control and Prevention's (CDC's) Vaccines for Children July 2022 and July 2023 Operations Guides state that awardees must conduct and record VFC compliance site visits, covering areas of provider details, eligibility, documentation, storage and handling, and inventory management with each VFC provider every 24 months.
Cause
MDHHS informed us during the COVID-19 pandemic it conducted limited provider site visits, which created a backlog of site visits to complete during fiscal year 2023. Also, MDHHS informed us staff turnover and vacancies at the local health departments contributed to the delay in the site visits.
Effect
MDHHS could not ensure VFC providers adequately safeguarded and used vaccines solely for authorized purposes. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure required compliance site visits for providers enrolled in the VFC program are conducted.
Management Views
MDHHS disagrees with the finding. Site visits did not resume for all VFC providers until the July 1, 2022 through June 30, 2023 review cycle because the CDC allowed jurisdictions to temporarily suspend these visits during the COVID-19 pandemic that ended during May 2023. MDHHS previously reached out to the CDC for clarification on conducting site visits and was informed that site visit activities could be suspended based on COVID-19 activity in MDHHS's jurisdiction and capacity within MDHHS's organization. The site visits identified in the finding were included in the backlog of suspended site visits that MDHHS continued to work through during the audit period.
Auditor's Comments to Management Views
Although the CDC communicated a temporary suspension was permissible, the CDC compliance site visit requirement did not change. Also, the special tests and provisions compliance requirements for Control, Accountability, and Safeguarding of Vaccine and Record of Immunization were subject to audit according to the OMB Compliance Supplement. As the federal grantor agency, the CDC has discretion as to whether penalties will be assessed for noncompliance. However, neither this nor MDHHS's capacity to rectify the backlog and complete the required site visits alleviates our responsibility to report noncompliance under the Uniform Guidance.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-045
Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - MiSACWIS Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS).
We noted:
a. MDHHS did not properly approve 2 (4%) of the 50 sampled MiSACWIS application security agreements prior to granting access to MiSACWIS.
b. MDHHS did not maintain documentation for 4 (10%) of 40 sampled MiSACWIS incompatible role exception requests.
c. MDHHS did not document or properly review its annual recertification of 2 (5%) of 40 sampled MiSACWIS non-privileged user accounts.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements annually for all non-privileged accounts. In addition, GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist.
Cause
For parts a. and b., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access.
For part c., MDHHS informed us the users' roles were not always recertified due to staff oversight.
Effect
Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists that MDHHS cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over MiSACWIS.
Management Views
MDHHS agrees with the finding.
FINDING 2023-046
Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Subrecipient Monitoring - MARS User Access
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Labor and Economic Opportunity (LEO) did not fully establish effective user access controls over the Management of Awards to Recipients System (MARS). Michigan Works! Agencies used MARS to request reimbursement, report expenditures, and view financial data related to employment, education, and training services provided to clients. We noted LEO did not disable 34 (24%) of 140 active MARS user accounts that had not accessed the application in over 60 days as of September 30, 2023.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires the information system to automatically disable inactive user accounts after 60 days.
Cause
LEO informed us that because of staffing limitations, some processes could not be followed or established.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MARS. As a result, an increased risk exists that LEO cannot ensure the security of the MARS application and data used to issue payments to subrecipients of federal awards.
Known Questioned Costs
None.
Recommendation
We recommend LEO fully establish effective user access controls over MARS.
Management Views
LEO agrees with the finding.
FINDING 2023-047
Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Non-Financial Eligibility Documentation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain or maintain sufficient non-financial case record documentation to support client eligibility for 3 (14%) of 21 sampled TANF-funded assistance payments.
MDHHS did not obtain or maintain documentation such as support for timely completion of the Family Automated Screening Tool, Family Self-Sufficiency Plan, and records to support children older than 6 were attending school full time in order to demonstrate the 3 families were in need of TANF assistance.
Criteria
Federal regulation 45 CFR 260.20 requires a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR 205.60(a) requires MDHHS to maintain records to support eligibility, including facts to support the client's need for assistance. MDHHS's TANF State Plan requires MDHHS and the client complete the Family Self-Sufficiency Plan prior to the end of the first three months of assistance. MDHHS's policies and procedures require documentation used to verify eligibility be maintained in the case file.
In addition, Subpart E of federal regulation 45 CFR 75 requires costs charged to federal programs be adequately documented, be necessary and reasonable for the administration of the federal award, be in accordance with the relative benefits received by the program, and be consistent with policies and procedures that apply to both the federal award and other activities of the state.
Cause
MDHHS informed us its controls were not sufficient to ensure that all of the required verification documentation was appropriately maintained in the client's case record.
Effect
MDHHS may have made TANF-funded assistance payments to ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $97 - federal share.
Recommendation
We recommend MDHHS obtain and maintain sufficient non-financial case record documentation to support client eligibility for TANF-funded assistance payments.
Management Views
MDHHS agrees with the finding.
FINDING 2023-048
Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Inappropriate TANF-Funded Adoption Subsidy Rate
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate negotiated rate to calculate the payment to adoptive parents for 1 (6%) of 17 sampled TANF-funded adoption subsidy case records.
Criteria
Federal regulation 45 CFR 263.11(a)(1) states funds may be used in any manner reasonably calculated to achieve the purposes of TANF. Section 400.115i of the Michigan Compiled Laws requires adoptive parents to enter into agreements with the State that prescribe the payment amount.
Also, Subpart E of federal regulation 45 CFR 75 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award; conform to any limitations, exclusions, or conditions; be in accordance with the relative benefits received by the program; and be consistent with policies and procedures that apply to both the federal award and other activities of the state.
Cause
MDHHS informed us adoption assistance agreements received prior to January 21, 2014 were eligible for clothing allowance. MDHHS manually created negotiated rate offsets in MiSACWIS until the system was updated on June 18, 2015 to not include the clothing allowance in future calculated rates. The month the child turns 13, the clothing allowance rates are increased. The under 13 clothing allowance rate was not manually removed by MDHHS for the month the child turned 13, causing MiSACWIS to calculate and pay a rate to the adoptive parent for the month the child turned 13 only, which was greater than the negotiated rate.
Effect
MDHHS made payments to adoptive parents not consistent with the agreed upon negotiated rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS use the appropriate negotiated rate to calculate the TANF-funded adoption subsidy payments to adoptive parents.
Management Views
MDHHS disagrees with the finding. Although the appropriate negotiated rate was not used to calculate the initial payment, MDHHS disagrees that a deficiency exists.
MDHHS ensures that the appropriate negotiated rate is used during an annual review process that occurs each year and is based on the child's birth month. The annual report process includes a thorough payment history review for each adoption assistance case to ensure payments are issued accurately. This involves verifying cases are paid at the correct rate and identifying any overpayments that occurred for adoption assistance agreements that were entered into between January 21, 2014 through June 18, 2015, prior to the MiSACWIS system update to automate the clothing allowance offset. The overpayment noted in the finding was identified by the auditor during the month prior to MDHHS's annual review process, which was scheduled for April 2024, and the negotiated rate for the month the child turned 13 was manually corrected and recouped by MDHHS in March 2024. MDHHS believes this is a timing issue and disagrees that a deficiency exists.
Auditor's Comments to Management Views
Regardless of the timing of MDHHS's annual review process, Subpart E of federal regulation 45 CFR 75 requires MDHHS costs charged to the federal program be necessary and reasonable. In addition, federal regulation 45 CFR 75.2 defines an "improper payment" as any payment that should not have been made or made in an incorrect amount under statutory, contractual, administrative, or other legally applicable requirements. MDHHS did not manually correct the negotiated rate for the month the child turned 13. Once the auditor informed MDHHS of the error, MDHHS recouped the overpayment in March 2024.
Therefore, this finding stands as written.
FINDING 2023-049
Temporary Assistance for Needy Families, ALN 93.558, Subrecipient Monitoring - Risk Assessment and During-the-Award Monitoring
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not sufficiently monitor and evaluate the risk of noncompliance with program requirements. We noted:
a. MDHHS did not utilize the risk assessment results to determine the type of monitoring appropriate for 1 of 4 sampled subrecipients.
b. MDHHS did not document its monitoring activities and any potential follow-up actions related to deficiencies noted during the review for 1 of 3 sampled subrecipients.
Criteria
Federal regulation 45 CFR 75.352(d) requires MDHHS to monitor the activities of the subrecipient as necessary to ensure the subaward is used for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved.
Cause
MDHHS believed its current process to monitor and evaluate subrecipients was sufficient to comply with program requirements. However, the documentation provided did not substantiate the procedures completed.
Effect
Insufficient monitoring of subrecipients could increase the subrecipients' and MDHHS's noncompliance with federal statutes, regulations, or the terms and conditions of federal awards. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS sufficiently monitor and evaluate the risk of noncompliance with program requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2023-050
Temporary Assistance for Needy Families, ALN 93.558, Special Tests and Provisions - Child Support Non-Cooperation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not appropriately and timely sanction TANF families who did not cooperate with establishing paternity and child support orders in 5 (13%) of the 40 sampled case records. MDHHS uses an automated interface between the Michigan Child Support Enforcement System and Bridges to identify and sanction TANF families not cooperating with establishing paternity and child support orders.
We noted for all 5 cases, the automated interface identified that the TANF family was not cooperating, but the benefits did not stop and the clients' case records did not contain evidence the clients met good cause criteria for not cooperating.
Criteria
Federal regulation 45 CFR 264.30 states MDHHS must deduct an amount equal to not less than 25% from the TANF-funded assistance that would otherwise be provided to the family of the individual or may deny the family any TANF-funded assistance. MDHHS's TANF State Plan states failure to cooperate in establishing paternity and pursuing child support for dependent children will result in TANF client ineligibility for a one-month minimum.
Cause
MDHHS's internal control did not ensure county/district office caseworkers applied the appropriate one-month sanction period for the child support non-cooperation for one case. For the remaining 4 cases, MDHHS informed us the one-month sanction period for the child support non-cooperation was not applied because the case was in a non-ongoing mode, which requires certification of the case by all MDHHS programs because of a change in client circumstances.
Effect
MDHHS may have inappropriately paid TANF funds to individuals who were ineligible because of failure to comply with child support requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS appropriately and timely sanction TANF families who do not cooperate with establishing paternity and child support orders.
Management Views
MDHHS disagrees with 4 of 5 exceptions identified. The MDHHS Bridges technical team reviewed each cited case and determined that Bridges was functioning as intended for four cases identified because each case was in a non-ongoing mode at the time the automated interface occurred. A case is placed into this status if the client circumstances have changed for any MDHHS program within Bridges and the case requires a redetermination. TANF policy cannot mandate Bridges to change the non-ongoing mode because each impacted program is required to be certified prior to changing the status. MDHHS policy does not mandate a specific length of time that a case can be in a non-ongoing status. The results of the redetermination can impact the client's non-cooperation status and therefore the client should not be sanctioned until the certification by all programs is complete.
For two of the cases, the client was appropriately sanctioned after the case review was complete and for the other two cases, the client was determined to be in compliance once the case was removed from the non-going status mode.
Auditor's Comments to Management Views
MDHHS did not timely initiate sanctions against clients identified as not cooperating with establishing paternity and child support orders. Federal regulation 45 CFR 233.10 states when there is a change in circumstances, payment may not continue beyond one month after the change. For the 4 exceptions MDHHS disagrees, we noted MDHHS continued to make payments for up to 7 months after the date of non-cooperation.
Therefore, this finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-009
Treasury, Cash Management - Recertification of Clearance Patterns
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Treasury (Treasury) did not adequately review and recertify the accuracy of the clearance patterns contained in the agreement with the U.S. Department of the Treasury, referred to as the Treasury State Agreement (TSA). We noted Treasury did not reassess the accuracy of the Child Support Services and LIHEAP clearance patterns as specified in its fiscal year 2023 TSA, which were last reviewed and updated in its fiscal year 2015 TSA.
Criteria
Federal regulation 31 CFR 205.20 requires the clearance pattern to be based on at least three consecutive months of disbursement data to accurately represent the flow of federal funds and reflect seasonal or other periodic variations in clearance activity of the program to which it is applied. Also, federal regulation 31 CFR 205.22(b) states the State must recertify the accuracy of a clearance pattern every five years.
Cause
Treasury informed us the recertification of the program clearance patterns was not completed because of inadequate procedures.
Effect
Failure to ensure the accuracy of clearance patterns could cause the State to inappropriately calculate the date it should request reimbursement from the U.S. Department of the Treasury for federal assistance programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend that Treasury review and recertify the accuracy of the clearance patterns specified in the TSA.
Management Views
Treasury agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-005
CHAMPS General Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is a medical assistance claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems* contained potentially vulnerable database configurations.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
Cause
DTMB informed us that competing priorities and the need for additional time to review the impact of implementing the tailored configurations, due to the change management process, delayed the implementation of tailored configuration recommendations.
Effect
Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database.
Management Views
Although MDHHS and DTMB delayed the implementation of SOM tailored configurations, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data.
DTMB has implemented and continues to implement the manufacturer's recommendations regarding security configurations and performs regular database and operating system patching. Additionally, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards.
Auditor's Comments to Management Views
We determined, and DTMB and MDHHS acknowledged, they did not fully implement the tailored configurations; therefore, the potential vulnerabilities and security risk still exist.
The finding stands as written.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-015
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates that interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2023-051
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Period of Performance, and Subrecipient Monitoring - Salesforce Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not fully establish effective security management and access controls over the Salesforce users. Program subrecipients utilize Salesforce to submit performance data, contract budgets, and expenditure submissions related to refugee resettlement. Also, LEO program staff utilize Salesforce to manage subgrants and review and approve subrecipient contract budgets and payment requests. We noted LEO did not review user access semiannually for privileged accounts or annually for all other accounts.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts.
Cause
LEO informed us that because of staffing limitations, some processes could not be followed or established.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to Salesforce. As a result, an increased risk exists that LEO cannot ensure the security of the Salesforce application and data used to issue payments to subrecipients of federal awards.
Known Questioned Costs
None.
Recommendation
We recommend LEO fully establish effective security management and access controls over Salesforce users.
Management Views
LEO agrees with the finding.
FINDING 2023-052
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Assistance to Ineligible Refugees
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility. Our review disclosed:
a. MDHHS did not maintain sufficient documentation of its efforts to evaluate clientsʹ eligibility; examples of documentation include support for the verification of nationality, identification, U.S. entry date, and mandatory work for 7 (28%) of 25 sampled refugee cash or medical assistance payments.
b. MDHHS inappropriately charged medical service expenditures of $98,381 to the federal program for non-REAP clients.
Criteria
Federal regulations 45 CFR 400.53 and 45 CFR 400.75(a) require refugees to meet general eligibility requirements for refugee cash assistance, including requirements that eligible refugees meet immigration status and identification conditions; reside in the United States less than the eligibility period determined by HHS's Office of Refugee Resettlement; and cannot, without good cause, fail or refuse to meet the work registry requirements. Also, federal regulation 45 CFR 400.28 requires MDHHS provide for the maintenance of operational records as are necessary for federal monitoring of the State's REAP.
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
For part a., MDHHS's internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required verification documentation in clientsʹ case records to support eligibility.
For part b., MDHHS indicated program records properly accounted for client eligibility; however, because of staff oversight, the accounting records were not properly adjusted following the correction of a reporting defect.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have provided assistance to ineligible clients and because of the overall high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $99,995 - federal share.
Recommendations
We recommend LEO and MDHHS maintain documentation to support client eligibility was determined in accordance with eligibility requirements.
We also recommend LEO and MDHHS ensure they properly charge only REAP eligible client assistance to REAP.
Management Views
LEO and MDHHS agree with the finding.
FINDING 2023-053
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Cash Management - Timeliness of Cash Draws
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not ensure its reimbursement requests were prepared in accordance with the CMIA. We noted for 1 of the 2 sampled quarterly cash draws, LEO prepared the reimbursement request 151 days after the quarter ended.
Criteria
Subpart B of federal regulation 31 CFR 205 requires a state must minimize the time between the drawdown of federal funds from the federal government and its disbursement for federal program purposes. The timing and amount of funds transfers must be as close as is administratively feasible to a state's actual cash outlay for direct program costs and the proportionate share of any allowable indirect costs.
Cause
LEO informed us staffing limitations impacted its ability to timely submit reimbursement requests.
Effect
LEO limited its assurance that it complied with the CMIA and may have lost interest by drawing funds late. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend LEO ensure its reimbursement requests are prepared in accordance with the CMIA.
Management Views
LEO agrees with the finding.
FINDING 2023-054
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not report any REAP subaward information as required by FFATA.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires LEO to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
LEO informed us it had not implemented a process to accumulate and submit the required information to the federal system.
Effect
LEO grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. We consider this to be a material weakness and material noncompliance because LEO did not complete any FFATA reporting. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend LEO report REAP subaward information as required by FFATA.
Management Views
LEO agrees with the finding.
FINDING 2023-055
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Subrecipient Monitoring - Subrecipient Audits and Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not properly monitor its subrecipients to ensure they complied with the Uniform Guidance. In addition, LEO did not accurately report to its subrecipients all subaward information as required by the Uniform Guidance. We noted:
a. LEO did not have a process to identify or document if the subrecipients required a single audit. Therefore, LEO did not monitor these subrecipients to ensure the status or submission of their single audit reports and did not determine whether a management decision letter was needed.
b. LEO did not report the correct FAIN for 3 of the 4 sampled subawards.
Criteria
Federal regulation 45 CFR 75.501 requires nonfederal entities who expend $750,000 or more in federal awards during their fiscal year to obtain a single audit for that fiscal year. Also, federal regulation 45 CFR 75.352(f) requires the pass-through entity to verify these subrecipients are audited as required by Subpart F of the Uniform Guidance, Audit Requirements, when it is expected the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the $750,000 threshold. In addition, federal regulation 45 CFR 75.521(d) requires LEO to issue a management decision letter on the appropriateness of all audit findings related to its federal awards and the subrecipient's corrective action plan within six months of acceptance by the federal audit clearinghouse (FAC).
In addition, federal regulation 45 CFR 75.352(a) requires that all pass-through entities ensure every subaward includes certain information.
Cause
For part a., LEO indicated because of limited staff resources it did not have a process in place to review subrecipient single audits.
For part b., LEO informed us because of an oversight, it did not always provide all required subaward information to subrecipients.
Effect
LEO limited the State's assurance that its subrecipients complied with grant requirements and implemented corrective actions for audit findings to prevent future sanctions or disallowed costs, which could necessitate adjustments to LEO's records. Also, subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance because LEO did not complete any monitoring of its subrecipients' single audits. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend LEO properly monitor its subrecipients to ensure they comply with the Uniform Guidance.
We also recommend LEO accurately report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
LEO agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-009
Treasury, Cash Management - Recertification of Clearance Patterns
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Treasury (Treasury) did not adequately review and recertify the accuracy of the clearance patterns contained in the agreement with the U.S. Department of the Treasury, referred to as the Treasury State Agreement (TSA). We noted Treasury did not reassess the accuracy of the Child Support Services and LIHEAP clearance patterns as specified in its fiscal year 2023 TSA, which were last reviewed and updated in its fiscal year 2015 TSA.
Criteria
Federal regulation 31 CFR 205.20 requires the clearance pattern to be based on at least three consecutive months of disbursement data to accurately represent the flow of federal funds and reflect seasonal or other periodic variations in clearance activity of the program to which it is applied. Also, federal regulation 31 CFR 205.22(b) states the State must recertify the accuracy of a clearance pattern every five years.
Cause
Treasury informed us the recertification of the program clearance patterns was not completed because of inadequate procedures.
Effect
Failure to ensure the accuracy of clearance patterns could cause the State to inappropriately calculate the date it should request reimbursement from the U.S. Department of the Treasury for federal assistance programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend that Treasury review and recertify the accuracy of the clearance patterns specified in the TSA.
Management Views
Treasury agrees with the finding.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-056
Low-Income Home Energy Assistance, ALN 93.568, Eligibility - Client Benefits in Excess of Fiscal Year Cap
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure the total client benefits were limited to the fiscal year cap for 1 (3%) of 39 sampled clients.
Criteria
Federal law 42 USC 8624 requires the State expend funds in accordance with the LIHEAP State Plan. The LIHEAP State Plan indicates that when a payment was necessary to resolve an energy related emergency, the payment would be the minimum amount necessary to prevent shutoff or restore activities for natural gas and electric services and the payment for any other fuel types and deliverable fuels may be made up to the fiscal year cap. Also, MDHHS policy establishes payment limits for these emergency energy fiscal year caps.
Cause
MDHHS informed us the miscalculation of the total client benefits paid during the fiscal year was caused by a manual data entry error.
Effect
MDHHS made an energy payment in excess of the client's fiscal year cap. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $190 - federal share.
Recommendation
We recommend MDHHS ensure the total client benefits do not exceed the fiscal year cap.
Management Views
MDHHS agrees with the finding.
FINDING 2023-057
Low-Income Home Energy Assistance, ALN 93.568, Eligibility - Eligibility Determinations
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not maintain sufficient documentation of its efforts to evaluate client eligibility; examples of documentation include support for the verification of the client's income, household size, and proof of energy crisis for 9 (23%) of 39 sampled LIHEAP-funded State Emergency Relief (SER) energy payments.
Criteria
Federal law 42 USC 8624 requires the State to expend funds in accordance with the LIHEAP State Plan and allows MDHHS to use LIHEAP funds to intervene in energy-related crisis situations and assist eligible households to meet the costs of home energy.
MDHHS policy requires county/district office caseworkers to verify and include certain income of SER group members during intake in order to determine eligibility for SER energy services. Also, policy states the payment amount must match the amount on the past due or shut-off notice. In addition, policy indicates the income limitation to be eligible is based on family size or SER group size.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure that county/district office caseworkers adhered to established policies and procedures.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible recipients and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $6,469 - federal share.
Recommendation
We recommend MDHHS maintain sufficient documentation to support client eligibility for LIHEAP-funded SER energy payments.
Management Views
MDHHS agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-008
MDHHS, PACAP - Inappropriate PACAP Allocation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted:
a. 2 (1%) of 203 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 6 (40%) of 15 sampled cost pools.
b. 2 (13%) of 16 Random Moment Time Studies, which MDHHS used to calculate PACAP percentages, did not have a complete population of participants, which affected 6 (40%) of 15 sampled cost pools.
Criteria
Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received.
Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP.
Federal regulation 2 CFR 200.306 requires that costs used for matching be allowable costs to the federal award.
Cause
MDHHS informed us its current quality control processes did not detect the errors.
Effect
MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendation
We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs.
Management Views
MDHHS disagrees the exceptions identified should rise to the level of a significant deficiency and noncompliance. The comprehensive set of quality control processes continue to operate as designed to identify any errors greater than 5.0% of the total difference of the given statistical group from the previous quarter and none of the errors identified in the finding fell outside of this range.
For part a., the auditor's review included all related statistical records within each statistical group for the 15 sampled cost pools. This includes all statistics used in the cost allocation process for the entire fiscal year because the costs that originate in these cost pools are referenced in all other cost pools. After review of all fiscal year 2023 statistical data, 6 individual statistical records out of 6,548 were found to be in error. After recalculating the cost allocated amounts related to this error, we identified that approximately $15,346 was overclaimed to LIHEAP out of $1,732,426,561 (0.0009%) of costs allocated in fiscal year 2023 by MDHHS. The other program areas identified were underclaimed.
For part b., MDHHS acknowledges the exclusion of a participant from two quarters (quarter three and quarter four) of the Family Independence Specialists/Eligibility Specialists (FIS/ES) Random Moment Time Study (RMTS) in the sample. Although the actual dollar value impact of excluding a participant is indeterminable, MDHHS concluded the impact would be immaterial because there are over 6,000 RMTS participants each quarter and RMTS results vary little from quarter to quarter from non-programmatic changes.
Auditor's Comments to Management Views
For part a., we calculated the cost allocated amounts related to the error and identified that approximately $17,317 was overclaimed to LIHEAP out of $141.0 million of second quarter expenditures. However, in combination with part b., we could not conclude overclaims for other federal programs were less than $25,000.
For part b., MDHHS used incomplete data to allocate approximately $143.5 million of third quarter expenditures and $171.2 million of fourth quarter expenditures for a total of $314.6 million to various federal and State programs, which may have affected the percentages used to allocate these expenditures. MDHHS did not assess the impact of these incomplete records. Consequently, it has no basis for its "immaterial" statement.
Given the errors noted in parts a. and b., we could not determine the combined known questioned costs; however, it is likely that the improper allocation related to the $455.7 million exceeds $25,000 for the federal programs identified. Federal regulation 2 CFR 200.516(a)(3) states that in evaluating the effect of questioned costs on the opinion on noncompliance, the auditor considers the best estimate of total questioned costs (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report audit findings for known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.
Therefore, the finding stands as written.
FINDING 2023-009
Treasury, Cash Management - Recertification of Clearance Patterns
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Treasury (Treasury) did not adequately review and recertify the accuracy of the clearance patterns contained in the agreement with the U.S. Department of the Treasury, referred to as the Treasury State Agreement (TSA). We noted Treasury did not reassess the accuracy of the Child Support Services and LIHEAP clearance patterns as specified in its fiscal year 2023 TSA, which were last reviewed and updated in its fiscal year 2015 TSA.
Criteria
Federal regulation 31 CFR 205.20 requires the clearance pattern to be based on at least three consecutive months of disbursement data to accurately represent the flow of federal funds and reflect seasonal or other periodic variations in clearance activity of the program to which it is applied. Also, federal regulation 31 CFR 205.22(b) states the State must recertify the accuracy of a clearance pattern every five years.
Cause
Treasury informed us the recertification of the program clearance patterns was not completed because of inadequate procedures.
Effect
Failure to ensure the accuracy of clearance patterns could cause the State to inappropriately calculate the date it should request reimbursement from the U.S. Department of the Treasury for federal assistance programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend that Treasury review and recertify the accuracy of the clearance patterns specified in the TSA.
Management Views
Treasury agrees with the finding.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-056
Low-Income Home Energy Assistance, ALN 93.568, Eligibility - Client Benefits in Excess of Fiscal Year Cap
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure the total client benefits were limited to the fiscal year cap for 1 (3%) of 39 sampled clients.
Criteria
Federal law 42 USC 8624 requires the State expend funds in accordance with the LIHEAP State Plan. The LIHEAP State Plan indicates that when a payment was necessary to resolve an energy related emergency, the payment would be the minimum amount necessary to prevent shutoff or restore activities for natural gas and electric services and the payment for any other fuel types and deliverable fuels may be made up to the fiscal year cap. Also, MDHHS policy establishes payment limits for these emergency energy fiscal year caps.
Cause
MDHHS informed us the miscalculation of the total client benefits paid during the fiscal year was caused by a manual data entry error.
Effect
MDHHS made an energy payment in excess of the client's fiscal year cap. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $190 - federal share.
Recommendation
We recommend MDHHS ensure the total client benefits do not exceed the fiscal year cap.
Management Views
MDHHS agrees with the finding.
FINDING 2023-057
Low-Income Home Energy Assistance, ALN 93.568, Eligibility - Eligibility Determinations
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not maintain sufficient documentation of its efforts to evaluate client eligibility; examples of documentation include support for the verification of the client's income, household size, and proof of energy crisis for 9 (23%) of 39 sampled LIHEAP-funded State Emergency Relief (SER) energy payments.
Criteria
Federal law 42 USC 8624 requires the State to expend funds in accordance with the LIHEAP State Plan and allows MDHHS to use LIHEAP funds to intervene in energy-related crisis situations and assist eligible households to meet the costs of home energy.
MDHHS policy requires county/district office caseworkers to verify and include certain income of SER group members during intake in order to determine eligibility for SER energy services. Also, policy states the payment amount must match the amount on the past due or shut-off notice. In addition, policy indicates the income limitation to be eligible is based on family size or SER group size.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure that county/district office caseworkers adhered to established policies and procedures.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible recipients and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely that total questioned costs would exceed $25,000.
• $6,469 - federal share.
Recommendation
We recommend MDHHS maintain sufficient documentation to support client eligibility for LIHEAP-funded SER energy payments.
Management Views
MDHHS agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-005
CHAMPS General Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is a medical assistance claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems* contained potentially vulnerable database configurations.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
Cause
DTMB informed us that competing priorities and the need for additional time to review the impact of implementing the tailored configurations, due to the change management process, delayed the implementation of tailored configuration recommendations.
Effect
Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database.
Management Views
Although MDHHS and DTMB delayed the implementation of SOM tailored configurations, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data.
DTMB has implemented and continues to implement the manufacturer's recommendations regarding security configurations and performs regular database and operating system patching. Additionally, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards.
Auditor's Comments to Management Views
We determined, and DTMB and MDHHS acknowledged, they did not fully implement the tailored configurations; therefore, the potential vulnerabilities and security risk still exist.
The finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Background
In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP.
Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. These continuous enrollment conditions ended March 31, 2023 with the passage of the Consolidated Appropriations Act of 2023, and states were required to initiate all redeterminations within a 12-month unwinding period. MDHHS began initiating redeterminations in June 2023. We sampled beneficiaries for each program who either had a benefit period which started during fiscal year 2023 or who had a benefit period which started prior to fiscal year 2023 and had a redetermination during the months of June through September 2023.
We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table.
For an estimated 22,428 Medicaid and 8,520 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested.
The results of the testing for the remaining 59 Medicaid and 56 CHIP beneficiaries we were able to review are summarized in the finding below.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 5 (8%) of 59 Medicaid and 12 (21%) of 56 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 59 Medicaid and 1 (2%) of 56 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 2 (3%) of 59 Medicaid and 4 (7%) of 56 CHIP cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulations 42 CFR 435.912(c) and 42 CFR 457.340(d) require MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
Cause
For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions.
For part b., MDHHS indicated the missing documentation resulted from staff oversight.
For part c., MDHHS indicated limited staff resources and a significantly higher number of renewals due to the Public Health Emergency affected its ability to determine beneficiary eligibility within the required time frame.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 10% Medicaid and 29% CHIP unduplicated error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $2,211 - federal share.
• $762 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $33.4 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2023.
However, we selected a sample of 3 beneficiaries that were transferred to CHIP and noted that 1 of 3 beneficiaries was not eligible for CHIP but was in fact Medicaid eligible and, therefore, should not have been transferred.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, one case was transferred in error.
Effect
MDHHS inappropriately transferred $133 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Also, of the $33.4 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $33.4 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 11% of total CHIP expenditures.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $89 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $89 is questioned in Finding 2023-013.
• $45 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-015
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates that interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2023-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure that disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware that new disclosures are required. In addition, MDHHS relies on the entities to inform them when ownership changes occur. Also, limited staff resources resulted in the MI Choice entitiesʹ network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2023-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $103,627 of the federal share of overpayments.
b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the second quarter of fiscal year 2023.
c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording 2 (8%) of 25 sampled Medicaid overpayments on the incorrect CMS-64 line.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
MDHHS informed us system issues contributed to the untimely and inaccurate reporting of overpayments.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report.
Management Views
MDHHS agrees with the finding.
FINDING 2023-018
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 7 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not incorporate the necessary adjustments to the MLR report template for all managed care entities to report their comparison of the amounts reported in the MLR calculation with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2023-019
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit was completed and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2023.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, because of the audit activity time frames outlined within the scope of the contract, not all audit activities were completed during fiscal year 2023.
Effect
Failure to ensure the accuracy of data could affect the capitation rates that are developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2023-001
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 8 interfaces sampled. For this 1 interface, we reviewed all quarterly files and noted all 4 files did not reconcile.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security* controls must be implemented to protect State of Michigan information from modification to ensure confidentiality*, integrity*, and availability* of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB agrees with the finding.
FINDING 2023-002
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not maintain documentation for 30 (75%) of the 40 sampled Bridges incompatible role exception requests. Of the 10 forms received, we noted MDHHS did not properly approve 6 forms prior to granting the exception requests.
b. MDHHS did not maintain documentation for 21 (26%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (3%) of 59 sampled security monitoring reports.
c. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 10 (26%) forms prior to granting access to Bridges.
d. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users.
e. MDHHS did not maintain documentation for 9 (45%) of the 20 sampled local office high risk Bridges transaction monitoring reports. Of the 11 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (27%) of the reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
Management Views
MDHHS agrees with the finding.
FINDING 2023-003
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2023-004
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 12 (21%) of 56 cases.
b. For 5 (36%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (16%) of 56 cases reviewed, all of which are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. MDHHS implemented a change to Bridges in July 2023 to require an action comment before the county/district office caseworkers dispose of the electronic notification for 10 of these 11 interfaces.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2023. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., and d. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. Although MDHHS did not implement the Bridges change to require an action comment before the county/district office caseworkers dispose of the electronic notifications until July 2023, MDHHS had policies and procedures in effect during fiscal year 2023 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for MAGI based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views*
Regarding part c., MDHHS acknowledges it did not implement the Bridges change to require an action comment before the caseworkers dispose of the electronic notifications for the first 9 months of fiscal year 2023. In addition, although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2023-005
CHAMPS General Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is a medical assistance claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems* contained potentially vulnerable database configurations.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
Cause
DTMB informed us that competing priorities and the need for additional time to review the impact of implementing the tailored configurations, due to the change management process, delayed the implementation of tailored configuration recommendations.
Effect
Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database.
Management Views
Although MDHHS and DTMB delayed the implementation of SOM tailored configurations, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data.
DTMB has implemented and continues to implement the manufacturer's recommendations regarding security configurations and performs regular database and operating system patching. Additionally, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards.
Auditor's Comments to Management Views
We determined, and DTMB and MDHHS acknowledged, they did not fully implement the tailored configurations; therefore, the potential vulnerabilities and security risk still exist.
The finding stands as written.
FINDING 2023-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table.
We noted:
a. MDHHS did not report any subaward information for 4 (5%) of 73 sampled subawards.
b. Of the 69 subawards in FSRS:
(1) MDHHS did not timely submit subaward information for 65 (94%) sampled subawards.
(2) MDHHS did not report all key data elements for 1 (1%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us some subaward data initially submitted to FSRS was inaccurate and rejected by FSRS, which contributed to its inability to report timely. Other contributing factors include untimely receipt of grant award information from the federal awarding agency, inaccurate information provided by grantees, and incorrect or missing information on the MDHHS Grant Received Report.
Effect
MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2023-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Background
In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP.
Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. These continuous enrollment conditions ended March 31, 2023 with the passage of the Consolidated Appropriations Act of 2023, and states were required to initiate all redeterminations within a 12-month unwinding period. MDHHS began initiating redeterminations in June 2023. We sampled beneficiaries for each program who either had a benefit period which started during fiscal year 2023 or who had a benefit period which started prior to fiscal year 2023 and had a redetermination during the months of June through September 2023.
We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table.
For an estimated 22,428 Medicaid and 8,520 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested.
The results of the testing for the remaining 59 Medicaid and 56 CHIP beneficiaries we were able to review are summarized in the finding below.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 5 (8%) of 59 Medicaid and 12 (21%) of 56 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 59 Medicaid and 1 (2%) of 56 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 2 (3%) of 59 Medicaid and 4 (7%) of 56 CHIP cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulations 42 CFR 435.912(c) and 42 CFR 457.340(d) require MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
Cause
For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions.
For part b., MDHHS indicated the missing documentation resulted from staff oversight.
For part c., MDHHS indicated limited staff resources and a significantly higher number of renewals due to the Public Health Emergency affected its ability to determine beneficiary eligibility within the required time frame.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 10% Medicaid and 29% CHIP unduplicated error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $2,211 - federal share.
• $762 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $33.4 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2023.
However, we selected a sample of 3 beneficiaries that were transferred to CHIP and noted that 1 of 3 beneficiaries was not eligible for CHIP but was in fact Medicaid eligible and, therefore, should not have been transferred.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, one case was transferred in error.
Effect
MDHHS inappropriately transferred $133 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Also, of the $33.4 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $33.4 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 11% of total CHIP expenditures.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $89 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $89 is questioned in Finding 2023-013.
• $45 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2023-015
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates that interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2023-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure that disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware that new disclosures are required. In addition, MDHHS relies on the entities to inform them when ownership changes occur. Also, limited staff resources resulted in the MI Choice entitiesʹ network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2023-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $103,627 of the federal share of overpayments.
b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the second quarter of fiscal year 2023.
c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording 2 (8%) of 25 sampled Medicaid overpayments on the incorrect CMS-64 line.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
MDHHS informed us system issues contributed to the untimely and inaccurate reporting of overpayments.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report.
Management Views
MDHHS agrees with the finding.
FINDING 2023-018
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 7 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not incorporate the necessary adjustments to the MLR report template for all managed care entities to report their comparison of the amounts reported in the MLR calculation with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2023-019
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit was completed and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2023.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, because of the audit activity time frames outlined within the scope of the contract, not all audit activities were completed during fiscal year 2023.
Effect
Failure to ensure the accuracy of data could affect the capitation rates that are developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.