FAC Explorer

Audit 321602

FY End
2023-12-31
Total Expended
$32.99M
Findings
12
Programs
24
Organization: Bjc Healthcare (MO)
Year: 2023 Accepted: 2024-09-27
Auditor: Ernst & Young LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
498851 2023-001 Material Weakness Yes AELN
498852 2023-001 Material Weakness Yes AELN
498853 2023-003 Material Weakness - ABH
498854 2023-003 Material Weakness - ABH
498855 2023-002 Material Weakness Yes ABHN
498856 2023-002 Material Weakness Yes ABHN
1075293 2023-001 Material Weakness Yes AELN
1075294 2023-001 Material Weakness Yes AELN
1075295 2023-003 Material Weakness - ABH
1075296 2023-003 Material Weakness - ABH
1075297 2023-002 Material Weakness Yes ABHN
1075298 2023-002 Material Weakness Yes ABHN

Programs

ALN Program Spent Major Findings
93.498 Covid-19 Provider Relief Fund and American Rescue Plan (arp) Rural Distribution $15.87M Yes 0
84.268 Federal Direct Student Loans $5.82M Yes 1
97.036 Covid-19 Disaster Grants - Public Assistance (presidentially Declared Disasters) $3.36M Yes 1
93.399 Cancer Control $1.03M Yes 1
84.063 Federal Pell Grant Program $766,487 Yes 1
93.493 Congressional Directives $575,440 - 0
93.788 Opioid Str $473,845 - 0
93.889 National Bioterrorism Hospital Preparedness Program $457,610 - 0
21.027 Covid-19 Coronavirus State and Local Fiscal Recovery Funds $252,140 Yes 0
84.007 Federal Supplemental Educational Opportunity Grants $116,890 Yes 0
93.898 Cancer Prevention and Control Programs for State, Territorial and Tribal Organizations $97,837 - 0
93.153 Coordinated Services and Access to Research for Women, Infants, Children, and Youth $90,382 - 0
93.395 Cancer Treatment Research $67,893 Yes 1
84.425 Covid-19 Education Stabilization Fund $58,704 - 0
93.124 Nurse Anesthetist Traineeship $57,038 - 0
16.582 Crime Victim Assistance/discretionary Grants $28,887 - 0
93.173 Research Related to Deafness and Communication Disorders $12,155 Yes 0
93.671 Covid-19 Family Violence Prevention and Services/domestic Violence Shelter and Supportive Services $12,152 - 0
93.558 Temporary Assistance for Needy Families $12,128 - 0
93.732 Covid-19 Mental and Behavioral Health Education and Training Grants $10,237 - 0
93.393 Cancer Cause and Prevention Research $8,941 Yes 0
93.397 Cancer Centers Support Grants $3,800 Yes 0
93.671 Family Violence Prevention and Services/domestic Violence Shelter and Supportive Services $2,034 - 0
84.033 Federal Work-Study Program $1,943 Yes 0

Contacts

Name Title Type
TAXKGGTKAAU7 Lori Schreiner Auditee
3147474122 Lindsey Roe Auditor
No contacts on file

Notes to SEFA

Title: Significant Accounting Policies Accounting Policies: The schedule of expenditures of federal awards (Schedule), by grantor agency, presents the program expenditures for all federal award programs of BJC HealthCare that had expenditures for the year ended December 31, 2023. For purposes of this report, federal awards are those received directly from a federal agency and those awards received from other agencies, the original source of which was a federal agency. The expenditures reported in the Schedule have been presented on the accrual basis of accounting, in conformity with accounting principles generally accepted in the United States of America. The information in the Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (the Uniform Guidance). Accordingly, some amounts presented in the Schedule may differ from amounts presented in or used in the preparation of the consolidated financial statements. De Minimis Rate Used: Both Rate Explanation: Indirect cost rates for BJC HealthCare were based on applicable U.S. Department of Health and Human Services (HHS) negotiated rates, the 10% de minimis indirect cost rate allowed by the Uniform Guidance, or sponsor-specific rates. The schedule of expenditures of federal awards (Schedule), by grantor agency, presents the program expenditures for all federal award programs of BJC HealthCare that had expenditures for the year ended December 31, 2023. For purposes of this report, federal awards are those received directly from a federal agency and those awards received from other agencies, the original source of which was a federal agency. The expenditures reported in the Schedule have been presented on the accrual basis of accounting, in conformity with accounting principles generally accepted in the United States of America. The information in the Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (the Uniform Guidance). Accordingly, some amounts presented in the Schedule may differ from amounts presented in or used in the preparation of the consolidated financial statements.
Title: Indirect Costs Accounting Policies: The schedule of expenditures of federal awards (Schedule), by grantor agency, presents the program expenditures for all federal award programs of BJC HealthCare that had expenditures for the year ended December 31, 2023. For purposes of this report, federal awards are those received directly from a federal agency and those awards received from other agencies, the original source of which was a federal agency. The expenditures reported in the Schedule have been presented on the accrual basis of accounting, in conformity with accounting principles generally accepted in the United States of America. The information in the Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (the Uniform Guidance). Accordingly, some amounts presented in the Schedule may differ from amounts presented in or used in the preparation of the consolidated financial statements. De Minimis Rate Used: Both Rate Explanation: Indirect cost rates for BJC HealthCare were based on applicable U.S. Department of Health and Human Services (HHS) negotiated rates, the 10% de minimis indirect cost rate allowed by the Uniform Guidance, or sponsor-specific rates. Indirect cost rates for BJC HealthCare were based on applicable U.S. Department of Health and Human Services (HHS) negotiated rates, the 10% de minimis indirect cost rate allowed by the Uniform Guidance, or sponsor-specific rates.
Title: COVID-19 Disaster Grants – Public Assistance (Presidentially Declared Disasters) (Assistance Listing No. 97.036) Accounting Policies: The schedule of expenditures of federal awards (Schedule), by grantor agency, presents the program expenditures for all federal award programs of BJC HealthCare that had expenditures for the year ended December 31, 2023. For purposes of this report, federal awards are those received directly from a federal agency and those awards received from other agencies, the original source of which was a federal agency. The expenditures reported in the Schedule have been presented on the accrual basis of accounting, in conformity with accounting principles generally accepted in the United States of America. The information in the Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (the Uniform Guidance). Accordingly, some amounts presented in the Schedule may differ from amounts presented in or used in the preparation of the consolidated financial statements. De Minimis Rate Used: Both Rate Explanation: Indirect cost rates for BJC HealthCare were based on applicable U.S. Department of Health and Human Services (HHS) negotiated rates, the 10% de minimis indirect cost rate allowed by the Uniform Guidance, or sponsor-specific rates. Expenditures for disaster grants from the U.S. Department of Homeland Security, are recorded on the Schedule when the funds are obligated by the federal agency through the approval of the Project Worksheets and eligible expenditures have been incurred, and are presented net of estimated insurance recoveries, if any. Disaster grant expenditures included in the Schedule for the year ended December 31, 2023, that were incurred in prior fiscal years were $3,499,053.
Title: Loan/Loan Guarantee Outstanding Balances Accounting Policies: The schedule of expenditures of federal awards (Schedule), by grantor agency, presents the program expenditures for all federal award programs of BJC HealthCare that had expenditures for the year ended December 31, 2023. For purposes of this report, federal awards are those received directly from a federal agency and those awards received from other agencies, the original source of which was a federal agency. The expenditures reported in the Schedule have been presented on the accrual basis of accounting, in conformity with accounting principles generally accepted in the United States of America. The information in the Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (the Uniform Guidance). Accordingly, some amounts presented in the Schedule may differ from amounts presented in or used in the preparation of the consolidated financial statements. De Minimis Rate Used: Both Rate Explanation: Indirect cost rates for BJC HealthCare were based on applicable U.S. Department of Health and Human Services (HHS) negotiated rates, the 10% de minimis indirect cost rate allowed by the Uniform Guidance, or sponsor-specific rates. BJC HealthCare participates in the Federal Direct Student Loans (Assistance Listing No. 84.268) program, which includes Federal Stafford Loans and Federal Parent Loans for Undergraduate Students. During the year ended December 31, 2023, new loans made under the Federal Direct Student Loans program totaled $5,824,067. Since these loans are made directly by the federal government to students, new loans made during the year ended December 31, 2023, relating to the program are considered current year federal expenditures, whereas the outstanding loan balances are not.
Title: COVID-19 Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution (Assistance Listing No. 93.498) Accounting Policies: The schedule of expenditures of federal awards (Schedule), by grantor agency, presents the program expenditures for all federal award programs of BJC HealthCare that had expenditures for the year ended December 31, 2023. For purposes of this report, federal awards are those received directly from a federal agency and those awards received from other agencies, the original source of which was a federal agency. The expenditures reported in the Schedule have been presented on the accrual basis of accounting, in conformity with accounting principles generally accepted in the United States of America. The information in the Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (the Uniform Guidance). Accordingly, some amounts presented in the Schedule may differ from amounts presented in or used in the preparation of the consolidated financial statements. De Minimis Rate Used: Both Rate Explanation: Indirect cost rates for BJC HealthCare were based on applicable U.S. Department of Health and Human Services (HHS) negotiated rates, the 10% de minimis indirect cost rate allowed by the Uniform Guidance, or sponsor-specific rates. The Schedule includes $15,866,652 received from HHS between January 1, 2022 and December 31, 2022, under Assistance Listing No. 93.498, Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution (PRF). This amount is reported as Period 5 and Period 6 in the HHS PRF Reporting Portal. Furthermore, this amount was recognized in other revenue in BJC HealthCare’s consolidated financial statements for the year ended December 31, 2022. The amount presented on the Schedule for PRF is for the year ended December 31, 2023. The amount presented reconciles to the PRF information reported to HHS as follows: See the Notes to the SEFA for chart/table

Finding Details

Finding 2023-001
Finding 2023-001 – Information Technology General Controls Identification of the federal program: Federal Program: Student Financial Assistance Cluster: Federal Pell Grant Program (Assistance Listing No. 84.063) and Federal Direct Student Loans (Assistance Listing No. 84.268) Federal Agency: United States Department of Education BJC HealthCare Location: Goldfarb School of Nursing (GSON) Award Periods: January 1, 2023 through June 30, 2023 (included in award year July 1, 2022 through June 30, 2023), and July 1, 2023 through December 31, 2023 (included in award year July 1, 2023 through June 30, 2024) Criteria or specific requirement (including statutory, regulatory or other citation): Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding the auditee and internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: BJC HealthCare (BJC) did not fully implement all Logical Access and Change Management controls to support effective information technology general controls (ITGCs) for the Banner application. The controls that were not fully implemented during the current period relate to user provisioning, user termination, user access reviews and change management processes. As a result, Banner ITGCs and, therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Management did not appropriately implement Logical Access and Change Management controls for the period under audit. Effect or potential effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the Banner student financial aid system may be inappropriately created or modified. Effective testing of the required logical access controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned costs: None. Context: Procedures over the Banner application were performed during FY23 to determine if controls were in place and operating as designed. We noted the following: • User provisioning documentation was not consistently retained for three of four samples. Documentation for the fourth sample did not include enough information to support that the access requested is what was provisioned. • Access terminations were not consistently removed from the application timely, though active directory access was removed. • Through review of the semi-annual access review in September, the removals (or modifications) of six of six users were not completed following the conclusion of the user access review. a. The review is sent to each user and there is no overall, independent review of all user’s access by an overseer / manager. b. There was no review evidence for three of 44 accounts with access to Banner. • Documentation evidencing testing or approval for three of six patches applied to production was not retained or available. Total expenditures for the Student Financial Assistance Cluster were $6,709,387 for the year ended December 31, 2023. Identification as a repeat finding, if applicable: This is a partial repeat of finding 2022-002 from the prior year. Recommendation: Management should enhance the user access review, user provisioning, user termination and change management controls, and retain documentation of the operation of controls. Views of responsible officials: BJC agrees with the findings as reported. GSON is committed to complying with program requirements and meeting program objectives as defined in Section 200.303(a) of the Uniform Guidance, regarding auditee internal controls. To facilitate these requirements, GSON has instituted the following controls: • Establishment of a formal provisioning and deprovisioning process for Banner system access. • Refinements to formal access review process to include an independent review of system access, as well as an overseer or manager approval. • Establishment of a formal testing process for Banner system patches or updates to include review from key functional areas within GSON.
Finding 2023-001
Finding 2023-001 – Information Technology General Controls Identification of the federal program: Federal Program: Student Financial Assistance Cluster: Federal Pell Grant Program (Assistance Listing No. 84.063) and Federal Direct Student Loans (Assistance Listing No. 84.268) Federal Agency: United States Department of Education BJC HealthCare Location: Goldfarb School of Nursing (GSON) Award Periods: January 1, 2023 through June 30, 2023 (included in award year July 1, 2022 through June 30, 2023), and July 1, 2023 through December 31, 2023 (included in award year July 1, 2023 through June 30, 2024) Criteria or specific requirement (including statutory, regulatory or other citation): Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding the auditee and internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: BJC HealthCare (BJC) did not fully implement all Logical Access and Change Management controls to support effective information technology general controls (ITGCs) for the Banner application. The controls that were not fully implemented during the current period relate to user provisioning, user termination, user access reviews and change management processes. As a result, Banner ITGCs and, therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Management did not appropriately implement Logical Access and Change Management controls for the period under audit. Effect or potential effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the Banner student financial aid system may be inappropriately created or modified. Effective testing of the required logical access controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned costs: None. Context: Procedures over the Banner application were performed during FY23 to determine if controls were in place and operating as designed. We noted the following: • User provisioning documentation was not consistently retained for three of four samples. Documentation for the fourth sample did not include enough information to support that the access requested is what was provisioned. • Access terminations were not consistently removed from the application timely, though active directory access was removed. • Through review of the semi-annual access review in September, the removals (or modifications) of six of six users were not completed following the conclusion of the user access review. a. The review is sent to each user and there is no overall, independent review of all user’s access by an overseer / manager. b. There was no review evidence for three of 44 accounts with access to Banner. • Documentation evidencing testing or approval for three of six patches applied to production was not retained or available. Total expenditures for the Student Financial Assistance Cluster were $6,709,387 for the year ended December 31, 2023. Identification as a repeat finding, if applicable: This is a partial repeat of finding 2022-002 from the prior year. Recommendation: Management should enhance the user access review, user provisioning, user termination and change management controls, and retain documentation of the operation of controls. Views of responsible officials: BJC agrees with the findings as reported. GSON is committed to complying with program requirements and meeting program objectives as defined in Section 200.303(a) of the Uniform Guidance, regarding auditee internal controls. To facilitate these requirements, GSON has instituted the following controls: • Establishment of a formal provisioning and deprovisioning process for Banner system access. • Refinements to formal access review process to include an independent review of system access, as well as an overseer or manager approval. • Establishment of a formal testing process for Banner system patches or updates to include review from key functional areas within GSON.
Finding 2023-003
Finding 2023-003 – A. Activities Allowed or Unallowed, B. Allowable Costs/Cost Principles, and H. Period of Performance Identification of the federal program: Federal Agency: U.S. Department of Health and Human Services Federal Program: Research and Development Cluster (Assistance Listing Nos. 93.395 and 93.399) BJC HealthCare Location: Missouri Baptist Medical Center Pass-Through Entities and Award Numbers: Pass-Through Award Periods: Brigham and Women’s Hospital, Inc./120870 (Amendment 1) Brigham and Women’s Hospital, Inc./120870 03/01/2023–02/29/2024 03/01/2022–02/28/2023 Decatur Memorial Hospital/None 08/01/2022–07/31/2023; 08/01/2023–07/31/2024 Criteria or specific requirement (including statutory, regulatory or other citation): Section 200.303(a) of the Uniform Guidance states the following regarding the auditee and internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: Management reviews and approves Effort Certification Reports (ECRs) for allowability and period of performance, including determining whether adjustments were required and appropriate. Evidence of review and approval was not consistently retained for ECRs. Cause: Due to employee turnover, evidence of review and approval over the ECRs by the appropriate Grant Management Office personnel was not consistently retained during the fiscal year. Effect or potential effect: Unallowable expenses could be charged to the Research and Development Cluster program. Questioned costs: None. Context: Total Research and Development Cluster expenditures reported on the schedule of expenditures of federal awards are $1,125,092 for the year ended December 31, 2023. Of this amount, payroll costs totaled $666,648 and fringe benefit costs totaled $184,759. Identification as a repeat finding: This finding is not a repeat finding from the prior year. Recommendation: Management should ensure that established internal controls over the review and approval of effort reports are consistently followed. Views of responsible officials: BJC agrees with the findings as reported. BJC is committed to complying with program requirements and meeting program objectives as defined in Section 200.303(a) of the Uniform Guidance, regarding auditee internal controls. To facilitate these requirements, BJC will review and strengthen current controls and documentation to ensure that all ECRs are appropriately approved and documentation of the approval is retained.
Finding 2023-003
Finding 2023-003 – A. Activities Allowed or Unallowed, B. Allowable Costs/Cost Principles, and H. Period of Performance Identification of the federal program: Federal Agency: U.S. Department of Health and Human Services Federal Program: Research and Development Cluster (Assistance Listing Nos. 93.395 and 93.399) BJC HealthCare Location: Missouri Baptist Medical Center Pass-Through Entities and Award Numbers: Pass-Through Award Periods: Brigham and Women’s Hospital, Inc./120870 (Amendment 1) Brigham and Women’s Hospital, Inc./120870 03/01/2023–02/29/2024 03/01/2022–02/28/2023 Decatur Memorial Hospital/None 08/01/2022–07/31/2023; 08/01/2023–07/31/2024 Criteria or specific requirement (including statutory, regulatory or other citation): Section 200.303(a) of the Uniform Guidance states the following regarding the auditee and internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: Management reviews and approves Effort Certification Reports (ECRs) for allowability and period of performance, including determining whether adjustments were required and appropriate. Evidence of review and approval was not consistently retained for ECRs. Cause: Due to employee turnover, evidence of review and approval over the ECRs by the appropriate Grant Management Office personnel was not consistently retained during the fiscal year. Effect or potential effect: Unallowable expenses could be charged to the Research and Development Cluster program. Questioned costs: None. Context: Total Research and Development Cluster expenditures reported on the schedule of expenditures of federal awards are $1,125,092 for the year ended December 31, 2023. Of this amount, payroll costs totaled $666,648 and fringe benefit costs totaled $184,759. Identification as a repeat finding: This finding is not a repeat finding from the prior year. Recommendation: Management should ensure that established internal controls over the review and approval of effort reports are consistently followed. Views of responsible officials: BJC agrees with the findings as reported. BJC is committed to complying with program requirements and meeting program objectives as defined in Section 200.303(a) of the Uniform Guidance, regarding auditee internal controls. To facilitate these requirements, BJC will review and strengthen current controls and documentation to ensure that all ECRs are appropriately approved and documentation of the approval is retained.
Finding 2023-002
Finding 2023-002 – A. Activities Allowed or Unallowed, B. Allowable Costs/Cost Principles, H. Period of Performance and N. Special Tests and Provisions Identification of the federal program: Federal Agency: U.S. Department of Homeland Security, Federal Emergency Management Agency (FEMA) Pass-Through Entities: Missouri State Emergency Management Agency and Illinois Emergency Management Agency Federal Program: COVID-19 Disaster Grants – Public Assistance (Presidentially Declared Disasters) (Assistance Listing No. 97.036) Pass-Through Award Numbers: Pass-Through Award Periods: PA-05-IL-4489-PW-1324(1) 01/21/2020–Ongoing PA-07-MO-4490-PW-00750 04/01/2021–07/01/2022 Criteria or specific requirement (including statutory, regulatory or other citation): Section 200.303(a) of the Uniform Guidance states the following regarding the auditee and internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: Management reviewed a sample of FEMA expenses during the fiscal year for compliance with allowability, period of performance, and special tests and provisions requirements. However, the review did not ensure that invoices allocated between multiple project worksheets did not exceed claim in total for management costs. In addition, for materials and supplies costs, the review was not performed timely as it was completed four months after the claim was submitted. Cause: Management’s internal control over the review and approval of FEMA expenses (materials and supplies and management costs) for compliance with allowability, period of performance, and special tests and provisions requirements was not properly designed or operating effectively. Effect or potential effect: Unallowable expenses could be charged to the FEMA program. Questioned costs: None. Context: Total FEMA expenditures reported on the schedule of expenditures of federal awards are $3,503,825 for the year ended December 31, 2023. Of this amount, management costs totaled $11,205 and materials and supplies costs totaled $682,254. Identification as a repeat finding: This finding is a partial repeat of finding 2022-004 from the prior year. Recommendation: Management should reassess its internal controls over the review and approval of FEMA expenses for compliance with allowability, period of performance, and special tests and provisions requirements. Views of responsible officials: BJC agrees with the findings as reported. BJC is committed to complying with program requirements and meeting program objectives as defined in Section 200.303(a) of the Uniform Guidance, regarding auditee internal controls. To facilitate these requirements, BJC will review and strengthen controls and documentation to ensure that invoices allocated between multiple project worksheets do not exceed amount claimed in total for management costs. In addition, BJC will ensure reviews are performed timely.
Finding 2023-002
Finding 2023-002 – A. Activities Allowed or Unallowed, B. Allowable Costs/Cost Principles, H. Period of Performance and N. Special Tests and Provisions Identification of the federal program: Federal Agency: U.S. Department of Homeland Security, Federal Emergency Management Agency (FEMA) Pass-Through Entities: Missouri State Emergency Management Agency and Illinois Emergency Management Agency Federal Program: COVID-19 Disaster Grants – Public Assistance (Presidentially Declared Disasters) (Assistance Listing No. 97.036) Pass-Through Award Numbers: Pass-Through Award Periods: PA-05-IL-4489-PW-1324(1) 01/21/2020–Ongoing PA-07-MO-4490-PW-00750 04/01/2021–07/01/2022 Criteria or specific requirement (including statutory, regulatory or other citation): Section 200.303(a) of the Uniform Guidance states the following regarding the auditee and internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: Management reviewed a sample of FEMA expenses during the fiscal year for compliance with allowability, period of performance, and special tests and provisions requirements. However, the review did not ensure that invoices allocated between multiple project worksheets did not exceed claim in total for management costs. In addition, for materials and supplies costs, the review was not performed timely as it was completed four months after the claim was submitted. Cause: Management’s internal control over the review and approval of FEMA expenses (materials and supplies and management costs) for compliance with allowability, period of performance, and special tests and provisions requirements was not properly designed or operating effectively. Effect or potential effect: Unallowable expenses could be charged to the FEMA program. Questioned costs: None. Context: Total FEMA expenditures reported on the schedule of expenditures of federal awards are $3,503,825 for the year ended December 31, 2023. Of this amount, management costs totaled $11,205 and materials and supplies costs totaled $682,254. Identification as a repeat finding: This finding is a partial repeat of finding 2022-004 from the prior year. Recommendation: Management should reassess its internal controls over the review and approval of FEMA expenses for compliance with allowability, period of performance, and special tests and provisions requirements. Views of responsible officials: BJC agrees with the findings as reported. BJC is committed to complying with program requirements and meeting program objectives as defined in Section 200.303(a) of the Uniform Guidance, regarding auditee internal controls. To facilitate these requirements, BJC will review and strengthen controls and documentation to ensure that invoices allocated between multiple project worksheets do not exceed amount claimed in total for management costs. In addition, BJC will ensure reviews are performed timely.
Finding 2023-001
Finding 2023-001 – Information Technology General Controls Identification of the federal program: Federal Program: Student Financial Assistance Cluster: Federal Pell Grant Program (Assistance Listing No. 84.063) and Federal Direct Student Loans (Assistance Listing No. 84.268) Federal Agency: United States Department of Education BJC HealthCare Location: Goldfarb School of Nursing (GSON) Award Periods: January 1, 2023 through June 30, 2023 (included in award year July 1, 2022 through June 30, 2023), and July 1, 2023 through December 31, 2023 (included in award year July 1, 2023 through June 30, 2024) Criteria or specific requirement (including statutory, regulatory or other citation): Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding the auditee and internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: BJC HealthCare (BJC) did not fully implement all Logical Access and Change Management controls to support effective information technology general controls (ITGCs) for the Banner application. The controls that were not fully implemented during the current period relate to user provisioning, user termination, user access reviews and change management processes. As a result, Banner ITGCs and, therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Management did not appropriately implement Logical Access and Change Management controls for the period under audit. Effect or potential effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the Banner student financial aid system may be inappropriately created or modified. Effective testing of the required logical access controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned costs: None. Context: Procedures over the Banner application were performed during FY23 to determine if controls were in place and operating as designed. We noted the following: • User provisioning documentation was not consistently retained for three of four samples. Documentation for the fourth sample did not include enough information to support that the access requested is what was provisioned. • Access terminations were not consistently removed from the application timely, though active directory access was removed. • Through review of the semi-annual access review in September, the removals (or modifications) of six of six users were not completed following the conclusion of the user access review. a. The review is sent to each user and there is no overall, independent review of all user’s access by an overseer / manager. b. There was no review evidence for three of 44 accounts with access to Banner. • Documentation evidencing testing or approval for three of six patches applied to production was not retained or available. Total expenditures for the Student Financial Assistance Cluster were $6,709,387 for the year ended December 31, 2023. Identification as a repeat finding, if applicable: This is a partial repeat of finding 2022-002 from the prior year. Recommendation: Management should enhance the user access review, user provisioning, user termination and change management controls, and retain documentation of the operation of controls. Views of responsible officials: BJC agrees with the findings as reported. GSON is committed to complying with program requirements and meeting program objectives as defined in Section 200.303(a) of the Uniform Guidance, regarding auditee internal controls. To facilitate these requirements, GSON has instituted the following controls: • Establishment of a formal provisioning and deprovisioning process for Banner system access. • Refinements to formal access review process to include an independent review of system access, as well as an overseer or manager approval. • Establishment of a formal testing process for Banner system patches or updates to include review from key functional areas within GSON.
Finding 2023-001
Finding 2023-001 – Information Technology General Controls Identification of the federal program: Federal Program: Student Financial Assistance Cluster: Federal Pell Grant Program (Assistance Listing No. 84.063) and Federal Direct Student Loans (Assistance Listing No. 84.268) Federal Agency: United States Department of Education BJC HealthCare Location: Goldfarb School of Nursing (GSON) Award Periods: January 1, 2023 through June 30, 2023 (included in award year July 1, 2022 through June 30, 2023), and July 1, 2023 through December 31, 2023 (included in award year July 1, 2023 through June 30, 2024) Criteria or specific requirement (including statutory, regulatory or other citation): Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding the auditee and internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: BJC HealthCare (BJC) did not fully implement all Logical Access and Change Management controls to support effective information technology general controls (ITGCs) for the Banner application. The controls that were not fully implemented during the current period relate to user provisioning, user termination, user access reviews and change management processes. As a result, Banner ITGCs and, therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Management did not appropriately implement Logical Access and Change Management controls for the period under audit. Effect or potential effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the Banner student financial aid system may be inappropriately created or modified. Effective testing of the required logical access controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned costs: None. Context: Procedures over the Banner application were performed during FY23 to determine if controls were in place and operating as designed. We noted the following: • User provisioning documentation was not consistently retained for three of four samples. Documentation for the fourth sample did not include enough information to support that the access requested is what was provisioned. • Access terminations were not consistently removed from the application timely, though active directory access was removed. • Through review of the semi-annual access review in September, the removals (or modifications) of six of six users were not completed following the conclusion of the user access review. a. The review is sent to each user and there is no overall, independent review of all user’s access by an overseer / manager. b. There was no review evidence for three of 44 accounts with access to Banner. • Documentation evidencing testing or approval for three of six patches applied to production was not retained or available. Total expenditures for the Student Financial Assistance Cluster were $6,709,387 for the year ended December 31, 2023. Identification as a repeat finding, if applicable: This is a partial repeat of finding 2022-002 from the prior year. Recommendation: Management should enhance the user access review, user provisioning, user termination and change management controls, and retain documentation of the operation of controls. Views of responsible officials: BJC agrees with the findings as reported. GSON is committed to complying with program requirements and meeting program objectives as defined in Section 200.303(a) of the Uniform Guidance, regarding auditee internal controls. To facilitate these requirements, GSON has instituted the following controls: • Establishment of a formal provisioning and deprovisioning process for Banner system access. • Refinements to formal access review process to include an independent review of system access, as well as an overseer or manager approval. • Establishment of a formal testing process for Banner system patches or updates to include review from key functional areas within GSON.
Finding 2023-003
Finding 2023-003 – A. Activities Allowed or Unallowed, B. Allowable Costs/Cost Principles, and H. Period of Performance Identification of the federal program: Federal Agency: U.S. Department of Health and Human Services Federal Program: Research and Development Cluster (Assistance Listing Nos. 93.395 and 93.399) BJC HealthCare Location: Missouri Baptist Medical Center Pass-Through Entities and Award Numbers: Pass-Through Award Periods: Brigham and Women’s Hospital, Inc./120870 (Amendment 1) Brigham and Women’s Hospital, Inc./120870 03/01/2023–02/29/2024 03/01/2022–02/28/2023 Decatur Memorial Hospital/None 08/01/2022–07/31/2023; 08/01/2023–07/31/2024 Criteria or specific requirement (including statutory, regulatory or other citation): Section 200.303(a) of the Uniform Guidance states the following regarding the auditee and internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: Management reviews and approves Effort Certification Reports (ECRs) for allowability and period of performance, including determining whether adjustments were required and appropriate. Evidence of review and approval was not consistently retained for ECRs. Cause: Due to employee turnover, evidence of review and approval over the ECRs by the appropriate Grant Management Office personnel was not consistently retained during the fiscal year. Effect or potential effect: Unallowable expenses could be charged to the Research and Development Cluster program. Questioned costs: None. Context: Total Research and Development Cluster expenditures reported on the schedule of expenditures of federal awards are $1,125,092 for the year ended December 31, 2023. Of this amount, payroll costs totaled $666,648 and fringe benefit costs totaled $184,759. Identification as a repeat finding: This finding is not a repeat finding from the prior year. Recommendation: Management should ensure that established internal controls over the review and approval of effort reports are consistently followed. Views of responsible officials: BJC agrees with the findings as reported. BJC is committed to complying with program requirements and meeting program objectives as defined in Section 200.303(a) of the Uniform Guidance, regarding auditee internal controls. To facilitate these requirements, BJC will review and strengthen current controls and documentation to ensure that all ECRs are appropriately approved and documentation of the approval is retained.
Finding 2023-003
Finding 2023-003 – A. Activities Allowed or Unallowed, B. Allowable Costs/Cost Principles, and H. Period of Performance Identification of the federal program: Federal Agency: U.S. Department of Health and Human Services Federal Program: Research and Development Cluster (Assistance Listing Nos. 93.395 and 93.399) BJC HealthCare Location: Missouri Baptist Medical Center Pass-Through Entities and Award Numbers: Pass-Through Award Periods: Brigham and Women’s Hospital, Inc./120870 (Amendment 1) Brigham and Women’s Hospital, Inc./120870 03/01/2023–02/29/2024 03/01/2022–02/28/2023 Decatur Memorial Hospital/None 08/01/2022–07/31/2023; 08/01/2023–07/31/2024 Criteria or specific requirement (including statutory, regulatory or other citation): Section 200.303(a) of the Uniform Guidance states the following regarding the auditee and internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: Management reviews and approves Effort Certification Reports (ECRs) for allowability and period of performance, including determining whether adjustments were required and appropriate. Evidence of review and approval was not consistently retained for ECRs. Cause: Due to employee turnover, evidence of review and approval over the ECRs by the appropriate Grant Management Office personnel was not consistently retained during the fiscal year. Effect or potential effect: Unallowable expenses could be charged to the Research and Development Cluster program. Questioned costs: None. Context: Total Research and Development Cluster expenditures reported on the schedule of expenditures of federal awards are $1,125,092 for the year ended December 31, 2023. Of this amount, payroll costs totaled $666,648 and fringe benefit costs totaled $184,759. Identification as a repeat finding: This finding is not a repeat finding from the prior year. Recommendation: Management should ensure that established internal controls over the review and approval of effort reports are consistently followed. Views of responsible officials: BJC agrees with the findings as reported. BJC is committed to complying with program requirements and meeting program objectives as defined in Section 200.303(a) of the Uniform Guidance, regarding auditee internal controls. To facilitate these requirements, BJC will review and strengthen current controls and documentation to ensure that all ECRs are appropriately approved and documentation of the approval is retained.
Finding 2023-002
Finding 2023-002 – A. Activities Allowed or Unallowed, B. Allowable Costs/Cost Principles, H. Period of Performance and N. Special Tests and Provisions Identification of the federal program: Federal Agency: U.S. Department of Homeland Security, Federal Emergency Management Agency (FEMA) Pass-Through Entities: Missouri State Emergency Management Agency and Illinois Emergency Management Agency Federal Program: COVID-19 Disaster Grants – Public Assistance (Presidentially Declared Disasters) (Assistance Listing No. 97.036) Pass-Through Award Numbers: Pass-Through Award Periods: PA-05-IL-4489-PW-1324(1) 01/21/2020–Ongoing PA-07-MO-4490-PW-00750 04/01/2021–07/01/2022 Criteria or specific requirement (including statutory, regulatory or other citation): Section 200.303(a) of the Uniform Guidance states the following regarding the auditee and internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: Management reviewed a sample of FEMA expenses during the fiscal year for compliance with allowability, period of performance, and special tests and provisions requirements. However, the review did not ensure that invoices allocated between multiple project worksheets did not exceed claim in total for management costs. In addition, for materials and supplies costs, the review was not performed timely as it was completed four months after the claim was submitted. Cause: Management’s internal control over the review and approval of FEMA expenses (materials and supplies and management costs) for compliance with allowability, period of performance, and special tests and provisions requirements was not properly designed or operating effectively. Effect or potential effect: Unallowable expenses could be charged to the FEMA program. Questioned costs: None. Context: Total FEMA expenditures reported on the schedule of expenditures of federal awards are $3,503,825 for the year ended December 31, 2023. Of this amount, management costs totaled $11,205 and materials and supplies costs totaled $682,254. Identification as a repeat finding: This finding is a partial repeat of finding 2022-004 from the prior year. Recommendation: Management should reassess its internal controls over the review and approval of FEMA expenses for compliance with allowability, period of performance, and special tests and provisions requirements. Views of responsible officials: BJC agrees with the findings as reported. BJC is committed to complying with program requirements and meeting program objectives as defined in Section 200.303(a) of the Uniform Guidance, regarding auditee internal controls. To facilitate these requirements, BJC will review and strengthen controls and documentation to ensure that invoices allocated between multiple project worksheets do not exceed amount claimed in total for management costs. In addition, BJC will ensure reviews are performed timely.
Finding 2023-002
Finding 2023-002 – A. Activities Allowed or Unallowed, B. Allowable Costs/Cost Principles, H. Period of Performance and N. Special Tests and Provisions Identification of the federal program: Federal Agency: U.S. Department of Homeland Security, Federal Emergency Management Agency (FEMA) Pass-Through Entities: Missouri State Emergency Management Agency and Illinois Emergency Management Agency Federal Program: COVID-19 Disaster Grants – Public Assistance (Presidentially Declared Disasters) (Assistance Listing No. 97.036) Pass-Through Award Numbers: Pass-Through Award Periods: PA-05-IL-4489-PW-1324(1) 01/21/2020–Ongoing PA-07-MO-4490-PW-00750 04/01/2021–07/01/2022 Criteria or specific requirement (including statutory, regulatory or other citation): Section 200.303(a) of the Uniform Guidance states the following regarding the auditee and internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: Management reviewed a sample of FEMA expenses during the fiscal year for compliance with allowability, period of performance, and special tests and provisions requirements. However, the review did not ensure that invoices allocated between multiple project worksheets did not exceed claim in total for management costs. In addition, for materials and supplies costs, the review was not performed timely as it was completed four months after the claim was submitted. Cause: Management’s internal control over the review and approval of FEMA expenses (materials and supplies and management costs) for compliance with allowability, period of performance, and special tests and provisions requirements was not properly designed or operating effectively. Effect or potential effect: Unallowable expenses could be charged to the FEMA program. Questioned costs: None. Context: Total FEMA expenditures reported on the schedule of expenditures of federal awards are $3,503,825 for the year ended December 31, 2023. Of this amount, management costs totaled $11,205 and materials and supplies costs totaled $682,254. Identification as a repeat finding: This finding is a partial repeat of finding 2022-004 from the prior year. Recommendation: Management should reassess its internal controls over the review and approval of FEMA expenses for compliance with allowability, period of performance, and special tests and provisions requirements. Views of responsible officials: BJC agrees with the findings as reported. BJC is committed to complying with program requirements and meeting program objectives as defined in Section 200.303(a) of the Uniform Guidance, regarding auditee internal controls. To facilitate these requirements, BJC will review and strengthen controls and documentation to ensure that invoices allocated between multiple project worksheets do not exceed amount claimed in total for management costs. In addition, BJC will ensure reviews are performed timely.