Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D Cluster
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 003
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listings number and Title; the pass through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (2 CFE section 200.332xxi)
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. BMC does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2023, the BMC passed through $18,031,446 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, BMC has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Single Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified the following:
1. For 4 of 16 subrecipients selected for testwork BMC did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, BMC did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports and review of Single Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by BMC do not include a review to ensure that a risk assessment is performed for each active subrecipient and BMC does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend BMC implement policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
We recommend that BMC enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D and
Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution
(PRF) (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 001
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Workday, a cloud based system, to provide human resources and payroll applications. BMC’s management of Workday includes maintaining the application system layer of the information technology (IT)control environment and relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Workday IT application controls.
During our testing, we noted the following deficiencies operating effectiveness of the Workday general IT controls:
1) BMC did not perform and document a Workday change review during the fiscal year, such a control would enable management to detect inappropriate changes to the Workday application. Such a report detailing changes to Workday was generated as part of the Uniform Guidance audit, however management did not formally perform and document its review over the report. Upon audit inquiry, the review was subsequently performed by management and we observed no inappropriate changes were made during the year that would impact the IT application controls relied upon.
2) For 1 of 13 employee new or modified Workday access provisioning samples, BMC did not maintain adequate documentation of the access request and approval. Upon audit inquiry, it was determined that access was provided as part of a promotion and was appropriate; however, was not formally documented.
Cause
The conditions above related to the following:
1) Management did not formally perform and document their review over the report due to a lack of knowledge of performance and documentation requirements by the control operators.
2) The exception occurred due to delays in supervisors’ timely reporting of terminations in Infor which delayed the de provisioning process performed by IT.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change Review is performed to address change management risks for the system.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for requesting and provisioning access to help ensure that requests for both new and modified access are appropriately obtained and documented for approval of access needed for job responsibilities.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: R&D
Provider Relief Fund Provider Relief Fund and American Rescue Plan (ARP)
Rural Distribution (93.498)
Federal Award Numbers: Various
Federal Award Years: Various
Reference: 2023 002
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
BMC utilizes Infor, a could based system, as the entity’s general ledger. BMC management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the PRF and R&D programs rely on Infor IT application controls.
During our test work, we noted the following deficiencies operating effectiveness of the general IT controls:
1) BMC did not have a process in place to perform and document a Infor User Access Review during the fiscal year. Upon audit inquiry, a review was performed to confirm there were no impacts to IT application controls configurations or processes.
2) For 4 of 15 employee termination access samples to the Infor system, it was determined the samples were not removed in a timely basis following the employee’s termination date. Upon audit inquiry, we obtained system documentation for the 4 users identified as exceptions indicating the related users did not logon to the system past their termination date.
Cause
The conditions above related to the following:
1) Management did not formally implement a process or policy to review user access due to reliance on preventative access controls and no established review requirements as of the fiscal year.
2) The exceptions occurred due to human oversight during the execution of the de provisioning process.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access may result in unauthorized changes being made to Infor, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
Not applicable
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Recommendation
We recommend that management review and emphasize the access management policies and procedures with key personnel to help ensure that an Infor User Access Review is performed.
Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication and removal of de provisioning of users.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.