FAC Explorer

Audit 324550

FY End
2022-06-30
Total Expended
$3.39B
Findings
12
Programs
2
Organization: Puerto Rico Health Insurance Administration (PR)
Year: 2022 Accepted: 2024-10-11
Auditor: Aquino De Cordova LLC

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
502550 2022-001 Material Weakness Yes N
502551 2022-001 Material Weakness Yes N
502552 2022-002 Significant Deficiency - L
502553 2022-002 Significant Deficiency - L
502554 2022-002 Significant Deficiency - L
502555 2022-002 Significant Deficiency - L
1078992 2022-001 Material Weakness Yes N
1078993 2022-001 Material Weakness Yes N
1078994 2022-002 Significant Deficiency - L
1078995 2022-002 Significant Deficiency - L
1078996 2022-002 Significant Deficiency - L
1078997 2022-002 Significant Deficiency - L

Programs

ALN Program Spent Major Findings
93.778 Medical Assistance Program $109.62M Yes 2
93.767 Children's Health Insurance Program $2.90M Yes 1

Contacts

Name Title Type
ZKUEYJL8KZ15 Lymari Colon Auditee
7875220300 Eduardo Gonzalez Auditor
No contacts on file

Notes to SEFA

Title: BASIS OF PRESENTATION Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, 2 CFR Part 200, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The Puerto Rico Health Insurance Administration has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal grant activity of the Puerto Rico Health Insurance Administration under programs of the federal government for the year ended June 30, 2022. The information in this Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the Puerto Rico Health Insurance Administration (the Administration), it is not intended to and does not present the financial position, changes in net assets, or cash flows of the Administration.
Title: SUMMARY OF SIGNIFICANT ACCOUNTING POLICIES Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, 2 CFR Part 200, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The Puerto Rico Health Insurance Administration has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, 2 CFR Part 200, wherein certain types of expenditures are not allowable or are limited as to reimbursement.
Title: PASS-THOUGH ENTITY IDENTIFYING NUMBER Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, 2 CFR Part 200, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The Puerto Rico Health Insurance Administration has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. State or Local government redistribution of federal awards to the Administration, known as “pass-through awards”, should be treated by the Administration as though they were received directly from the federal government. Uniform Guidance requires the schedule to include the name of the pass-through entity for the federal awards received.
Title: INDIRECT COST RATE Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, 2 CFR Part 200, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The Puerto Rico Health Insurance Administration has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The Puerto Rico Health Insurance Administration has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance.

Finding Details

Finding 2022-001
Criteria SMAs must establish and maintain a program for conducting periodic risk analyses to ensure appropriate and cost effective safeguards are incorporated into new and existing systems. State agencies must perform risk analyses whenever significant system changes occur. SMAs shall review ADP system security installations involved in the administration of HHS programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews (45 CFR section 95.621). Condition The security plan for ADP (Automatic Data Processing) system, including policies and procedures to address contingency plans in the event of unforeseen interruptions has not been implemented and tested. Cause This situation was primarily caused by the lack of effective internal control over ADP Risk Analysis and System Security Review. Effect Critical business functions may not be resumed on time in case an emergency or disaster causes the ADP system resources to become unable to meet critical processing needs in the event of a short or long-term interruption of service. Questioned Costs NonePerspective information N/A Prior Year Audit Finding 2021-001 Recommendation The Data Collection Form and Single Audit package shall be submitted within the required due dates Management’s Response: Refer to Grantee’s Corrective Action Plan
Finding 2022-001
Criteria SMAs must establish and maintain a program for conducting periodic risk analyses to ensure appropriate and cost effective safeguards are incorporated into new and existing systems. State agencies must perform risk analyses whenever significant system changes occur. SMAs shall review ADP system security installations involved in the administration of HHS programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews (45 CFR section 95.621). Condition The security plan for ADP (Automatic Data Processing) system, including policies and procedures to address contingency plans in the event of unforeseen interruptions has not been implemented and tested. Cause This situation was primarily caused by the lack of effective internal control over ADP Risk Analysis and System Security Review. Effect Critical business functions may not be resumed on time in case an emergency or disaster causes the ADP system resources to become unable to meet critical processing needs in the event of a short or long-term interruption of service. Questioned Costs NonePerspective information N/A Prior Year Audit Finding 2021-001 Recommendation The Data Collection Form and Single Audit package shall be submitted within the required due dates Management’s Response: Refer to Grantee’s Corrective Action Plan
Finding 2022-002
Criteria Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal, Part 200.512, Report Submission, (a) General, (1) states that the audit must be completed, and the data collection form and reporting package must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. Condition The Data Collection Form and Single Audit reporting package were not submitted within nine (9) months after the end of the audit period. Cause The Administration experienced the aftermath of the Coronavirus Pandemic as it relates to maintaining up to date its accounting records. Effect Data collection form and single audit reports were not submitted in a timely manner as required by the Uniform Guidance. Prior Year Audit Finding N/A Recommendation Data collection form and single audit package shall be submitted within the required due dates. Questioned Costs None Management’s Response Refer to Grantee’s Corrective Action Plan
Finding 2022-002
Criteria Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal, Part 200.512, Report Submission, (a) General, (1) states that the audit must be completed, and the data collection form and reporting package must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. Condition The Data Collection Form and Single Audit reporting package were not submitted within nine (9) months after the end of the audit period. Cause The Administration experienced the aftermath of the Coronavirus Pandemic as it relates to maintaining up to date its accounting records. Effect Data collection form and single audit reports were not submitted in a timely manner as required by the Uniform Guidance. Prior Year Audit Finding N/A Recommendation Data collection form and single audit package shall be submitted within the required due dates. Questioned Costs None Management’s Response Refer to Grantee’s Corrective Action Plan
Finding 2022-002
Criteria Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal, Part 200.512, Report Submission, (a) General, (1) states that the audit must be completed, and the data collection form and reporting package must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. Condition The Data Collection Form and Single Audit reporting package were not submitted within nine (9) months after the end of the audit period. Cause The Administration experienced the aftermath of the Coronavirus Pandemic as it relates to maintaining up to date its accounting records. Effect Data collection form and single audit reports were not submitted in a timely manner as required by the Uniform Guidance. Prior Year Audit Finding N/A Recommendation Data collection form and single audit package shall be submitted within the required due dates. Questioned Costs None Management’s Response Refer to Grantee’s Corrective Action Plan
Finding 2022-002
Criteria Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal, Part 200.512, Report Submission, (a) General, (1) states that the audit must be completed, and the data collection form and reporting package must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. Condition The Data Collection Form and Single Audit reporting package were not submitted within nine (9) months after the end of the audit period. Cause The Administration experienced the aftermath of the Coronavirus Pandemic as it relates to maintaining up to date its accounting records. Effect Data collection form and single audit reports were not submitted in a timely manner as required by the Uniform Guidance. Prior Year Audit Finding N/A Recommendation Data collection form and single audit package shall be submitted within the required due dates. Questioned Costs None Management’s Response Refer to Grantee’s Corrective Action Plan
Finding 2022-001
Criteria SMAs must establish and maintain a program for conducting periodic risk analyses to ensure appropriate and cost effective safeguards are incorporated into new and existing systems. State agencies must perform risk analyses whenever significant system changes occur. SMAs shall review ADP system security installations involved in the administration of HHS programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews (45 CFR section 95.621). Condition The security plan for ADP (Automatic Data Processing) system, including policies and procedures to address contingency plans in the event of unforeseen interruptions has not been implemented and tested. Cause This situation was primarily caused by the lack of effective internal control over ADP Risk Analysis and System Security Review. Effect Critical business functions may not be resumed on time in case an emergency or disaster causes the ADP system resources to become unable to meet critical processing needs in the event of a short or long-term interruption of service. Questioned Costs NonePerspective information N/A Prior Year Audit Finding 2021-001 Recommendation The Data Collection Form and Single Audit package shall be submitted within the required due dates Management’s Response: Refer to Grantee’s Corrective Action Plan
Finding 2022-001
Criteria SMAs must establish and maintain a program for conducting periodic risk analyses to ensure appropriate and cost effective safeguards are incorporated into new and existing systems. State agencies must perform risk analyses whenever significant system changes occur. SMAs shall review ADP system security installations involved in the administration of HHS programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews (45 CFR section 95.621). Condition The security plan for ADP (Automatic Data Processing) system, including policies and procedures to address contingency plans in the event of unforeseen interruptions has not been implemented and tested. Cause This situation was primarily caused by the lack of effective internal control over ADP Risk Analysis and System Security Review. Effect Critical business functions may not be resumed on time in case an emergency or disaster causes the ADP system resources to become unable to meet critical processing needs in the event of a short or long-term interruption of service. Questioned Costs NonePerspective information N/A Prior Year Audit Finding 2021-001 Recommendation The Data Collection Form and Single Audit package shall be submitted within the required due dates Management’s Response: Refer to Grantee’s Corrective Action Plan
Finding 2022-002
Criteria Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal, Part 200.512, Report Submission, (a) General, (1) states that the audit must be completed, and the data collection form and reporting package must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. Condition The Data Collection Form and Single Audit reporting package were not submitted within nine (9) months after the end of the audit period. Cause The Administration experienced the aftermath of the Coronavirus Pandemic as it relates to maintaining up to date its accounting records. Effect Data collection form and single audit reports were not submitted in a timely manner as required by the Uniform Guidance. Prior Year Audit Finding N/A Recommendation Data collection form and single audit package shall be submitted within the required due dates. Questioned Costs None Management’s Response Refer to Grantee’s Corrective Action Plan
Finding 2022-002
Criteria Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal, Part 200.512, Report Submission, (a) General, (1) states that the audit must be completed, and the data collection form and reporting package must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. Condition The Data Collection Form and Single Audit reporting package were not submitted within nine (9) months after the end of the audit period. Cause The Administration experienced the aftermath of the Coronavirus Pandemic as it relates to maintaining up to date its accounting records. Effect Data collection form and single audit reports were not submitted in a timely manner as required by the Uniform Guidance. Prior Year Audit Finding N/A Recommendation Data collection form and single audit package shall be submitted within the required due dates. Questioned Costs None Management’s Response Refer to Grantee’s Corrective Action Plan
Finding 2022-002
Criteria Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal, Part 200.512, Report Submission, (a) General, (1) states that the audit must be completed, and the data collection form and reporting package must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. Condition The Data Collection Form and Single Audit reporting package were not submitted within nine (9) months after the end of the audit period. Cause The Administration experienced the aftermath of the Coronavirus Pandemic as it relates to maintaining up to date its accounting records. Effect Data collection form and single audit reports were not submitted in a timely manner as required by the Uniform Guidance. Prior Year Audit Finding N/A Recommendation Data collection form and single audit package shall be submitted within the required due dates. Questioned Costs None Management’s Response Refer to Grantee’s Corrective Action Plan
Finding 2022-002
Criteria Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal, Part 200.512, Report Submission, (a) General, (1) states that the audit must be completed, and the data collection form and reporting package must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. Condition The Data Collection Form and Single Audit reporting package were not submitted within nine (9) months after the end of the audit period. Cause The Administration experienced the aftermath of the Coronavirus Pandemic as it relates to maintaining up to date its accounting records. Effect Data collection form and single audit reports were not submitted in a timely manner as required by the Uniform Guidance. Prior Year Audit Finding N/A Recommendation Data collection form and single audit package shall be submitted within the required due dates. Questioned Costs None Management’s Response Refer to Grantee’s Corrective Action Plan