FAC Explorer

Audit 324551

FY End
2023-06-30
Total Expended
$3.56B
Findings
12
Programs
2
Organization: Puerto Rico Health Insurance Administration (PR)
Year: 2023 Accepted: 2024-10-11
Auditor: Aquino De Cordova LLC

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
502556 2023-001 Material Weakness Yes N
502557 2023-001 Material Weakness Yes N
502558 2023-002 Significant Deficiency Yes L
502559 2023-002 Significant Deficiency Yes L
502560 2023-002 Significant Deficiency Yes L
502561 2023-002 Significant Deficiency Yes L
1078998 2023-001 Material Weakness Yes N
1078999 2023-001 Material Weakness Yes N
1079000 2023-002 Significant Deficiency Yes L
1079001 2023-002 Significant Deficiency Yes L
1079002 2023-002 Significant Deficiency Yes L
1079003 2023-002 Significant Deficiency Yes L

Programs

ALN Program Spent Major Findings
93.778 Medical Assistance Program $106.17M Yes 2
93.767 Children's Health Insurance Program $2.91M Yes 1

Contacts

Name Title Type
ZKUEYJL8KZ15 Lymari Colon Auditee
7875220300 Eduardo Gonzalez Auditor
No contacts on file

Notes to SEFA

Title: BASIS OF PRESENTATION Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, 2 CFR Part 200, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The Puerto Rico Health Insurance Administration has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal grant activity of the Puerto Rico Health Insurance Administration under programs of the federal government for the year ended June 30, 2023. The information in this Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the Puerto Rico Health Insurance Administration (the Administration), it is not intended to and does not present the financial position, changes in net assets, or cash flows of the Administration.
Title: SUMMARY OF SIGNIFICANT ACCOUNTING POLICIES Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, 2 CFR Part 200, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The Puerto Rico Health Insurance Administration has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, 2 CFR Part 200, wherein certain types of expenditures are not allowable or are limited as to reimbursement.
Title: PASS-THOUGH ENTITY IDENTIFYING NUMBER Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, 2 CFR Part 200, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The Puerto Rico Health Insurance Administration has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. State or Local government redistribution of federal awards to the Administration, known as “pass-through awards”, should be treated by the Administration as though they were received directly from the federal government. Uniform Guidance requires the schedule to include the name of the pass-through entity for the federal awards received.
Title: INDIRECT COST RATE Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, 2 CFR Part 200, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The Puerto Rico Health Insurance Administration has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The Puerto Rico Health Insurance Administration has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance.

Finding Details

Finding 2023-001
Criteria SMAs must establish and maintain a program for conducting periodic risk analyses to ensure appropriate and cost effective safeguards are incorporated into new and existing systems. State agencies must perform risk analyses whenever significant system changes occur. SMAs shall review ADP system security installations involved in the administration of HHS programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews (45 CFR section 95.621). Condition The security plan for ADP (Automatic Data Processing) system, including policies and procedures to address contingency plans in the event of unforeseen interruptions has not been implemented and tested. Cause This situation was primarily caused by the lack of effective internal control over ADP Risk Analysis and System Security Review. Effect Critical business functions may not be resumed on time in case an emergency or disaster causes the ADP system resources to become unable to meet critical processing needs in the event of a short or long-term interruption of service. Questioned Costs None Perspective information N/A Prior Year Audit Finding 2022-001 Recommendation The Administration should establish and maintain a program for conducting periodic risk analysis to ensure appropriate, cost-effective safeguards are incorporated into new and existing systems. Management’s Response: Refer to Grantee’s Corrective Action Plan
Finding 2023-001
Criteria SMAs must establish and maintain a program for conducting periodic risk analyses to ensure appropriate and cost effective safeguards are incorporated into new and existing systems. State agencies must perform risk analyses whenever significant system changes occur. SMAs shall review ADP system security installations involved in the administration of HHS programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews (45 CFR section 95.621). Condition The security plan for ADP (Automatic Data Processing) system, including policies and procedures to address contingency plans in the event of unforeseen interruptions has not been implemented and tested. Cause This situation was primarily caused by the lack of effective internal control over ADP Risk Analysis and System Security Review. Effect Critical business functions may not be resumed on time in case an emergency or disaster causes the ADP system resources to become unable to meet critical processing needs in the event of a short or long-term interruption of service. Questioned Costs None Perspective information N/A Prior Year Audit Finding 2022-001 Recommendation The Administration should establish and maintain a program for conducting periodic risk analysis to ensure appropriate, cost-effective safeguards are incorporated into new and existing systems. Management’s Response: Refer to Grantee’s Corrective Action Plan
Finding 2023-002
Criteria Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal, Part 200.512, Report Submission, (a) General, (1) states that the audit must be completed, and the data collection form and reporting package must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. Condition The Data Collection Form and Single Audit reporting package were not submitted within nine (9) months after the end of the audit period. Cause The Administration experienced the aftermath of the Coronavirus Pandemic as it relates to maintaining up to date its accounting records. Effect Data collection form and single audit reports were not submitted in a timely manner as required by the Uniform Guidance. Prior Year Audit Finding 2022-002 Recommendation Data collection form and single audit package shall be submitted within the required due dates. Questioned Costs None Management’s Response Refer to Grantee’s Corrective Action Plan
Finding 2023-002
Criteria Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal, Part 200.512, Report Submission, (a) General, (1) states that the audit must be completed, and the data collection form and reporting package must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. Condition The Data Collection Form and Single Audit reporting package were not submitted within nine (9) months after the end of the audit period. Cause The Administration experienced the aftermath of the Coronavirus Pandemic as it relates to maintaining up to date its accounting records. Effect Data collection form and single audit reports were not submitted in a timely manner as required by the Uniform Guidance. Prior Year Audit Finding 2022-002 Recommendation Data collection form and single audit package shall be submitted within the required due dates. Questioned Costs None Management’s Response Refer to Grantee’s Corrective Action Plan
Finding 2023-002
Criteria Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal, Part 200.512, Report Submission, (a) General, (1) states that the audit must be completed, and the data collection form and reporting package must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. Condition The Data Collection Form and Single Audit reporting package were not submitted within nine (9) months after the end of the audit period. Cause The Administration experienced the aftermath of the Coronavirus Pandemic as it relates to maintaining up to date its accounting records. Effect Data collection form and single audit reports were not submitted in a timely manner as required by the Uniform Guidance. Prior Year Audit Finding 2022-002 Recommendation Data collection form and single audit package shall be submitted within the required due dates. Questioned Costs None Management’s Response Refer to Grantee’s Corrective Action Plan
Finding 2023-002
Criteria Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal, Part 200.512, Report Submission, (a) General, (1) states that the audit must be completed, and the data collection form and reporting package must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. Condition The Data Collection Form and Single Audit reporting package were not submitted within nine (9) months after the end of the audit period. Cause The Administration experienced the aftermath of the Coronavirus Pandemic as it relates to maintaining up to date its accounting records. Effect Data collection form and single audit reports were not submitted in a timely manner as required by the Uniform Guidance. Prior Year Audit Finding 2022-002 Recommendation Data collection form and single audit package shall be submitted within the required due dates. Questioned Costs None Management’s Response Refer to Grantee’s Corrective Action Plan
Finding 2023-001
Criteria SMAs must establish and maintain a program for conducting periodic risk analyses to ensure appropriate and cost effective safeguards are incorporated into new and existing systems. State agencies must perform risk analyses whenever significant system changes occur. SMAs shall review ADP system security installations involved in the administration of HHS programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews (45 CFR section 95.621). Condition The security plan for ADP (Automatic Data Processing) system, including policies and procedures to address contingency plans in the event of unforeseen interruptions has not been implemented and tested. Cause This situation was primarily caused by the lack of effective internal control over ADP Risk Analysis and System Security Review. Effect Critical business functions may not be resumed on time in case an emergency or disaster causes the ADP system resources to become unable to meet critical processing needs in the event of a short or long-term interruption of service. Questioned Costs None Perspective information N/A Prior Year Audit Finding 2022-001 Recommendation The Administration should establish and maintain a program for conducting periodic risk analysis to ensure appropriate, cost-effective safeguards are incorporated into new and existing systems. Management’s Response: Refer to Grantee’s Corrective Action Plan
Finding 2023-001
Criteria SMAs must establish and maintain a program for conducting periodic risk analyses to ensure appropriate and cost effective safeguards are incorporated into new and existing systems. State agencies must perform risk analyses whenever significant system changes occur. SMAs shall review ADP system security installations involved in the administration of HHS programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews (45 CFR section 95.621). Condition The security plan for ADP (Automatic Data Processing) system, including policies and procedures to address contingency plans in the event of unforeseen interruptions has not been implemented and tested. Cause This situation was primarily caused by the lack of effective internal control over ADP Risk Analysis and System Security Review. Effect Critical business functions may not be resumed on time in case an emergency or disaster causes the ADP system resources to become unable to meet critical processing needs in the event of a short or long-term interruption of service. Questioned Costs None Perspective information N/A Prior Year Audit Finding 2022-001 Recommendation The Administration should establish and maintain a program for conducting periodic risk analysis to ensure appropriate, cost-effective safeguards are incorporated into new and existing systems. Management’s Response: Refer to Grantee’s Corrective Action Plan
Finding 2023-002
Criteria Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal, Part 200.512, Report Submission, (a) General, (1) states that the audit must be completed, and the data collection form and reporting package must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. Condition The Data Collection Form and Single Audit reporting package were not submitted within nine (9) months after the end of the audit period. Cause The Administration experienced the aftermath of the Coronavirus Pandemic as it relates to maintaining up to date its accounting records. Effect Data collection form and single audit reports were not submitted in a timely manner as required by the Uniform Guidance. Prior Year Audit Finding 2022-002 Recommendation Data collection form and single audit package shall be submitted within the required due dates. Questioned Costs None Management’s Response Refer to Grantee’s Corrective Action Plan
Finding 2023-002
Criteria Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal, Part 200.512, Report Submission, (a) General, (1) states that the audit must be completed, and the data collection form and reporting package must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. Condition The Data Collection Form and Single Audit reporting package were not submitted within nine (9) months after the end of the audit period. Cause The Administration experienced the aftermath of the Coronavirus Pandemic as it relates to maintaining up to date its accounting records. Effect Data collection form and single audit reports were not submitted in a timely manner as required by the Uniform Guidance. Prior Year Audit Finding 2022-002 Recommendation Data collection form and single audit package shall be submitted within the required due dates. Questioned Costs None Management’s Response Refer to Grantee’s Corrective Action Plan
Finding 2023-002
Criteria Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal, Part 200.512, Report Submission, (a) General, (1) states that the audit must be completed, and the data collection form and reporting package must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. Condition The Data Collection Form and Single Audit reporting package were not submitted within nine (9) months after the end of the audit period. Cause The Administration experienced the aftermath of the Coronavirus Pandemic as it relates to maintaining up to date its accounting records. Effect Data collection form and single audit reports were not submitted in a timely manner as required by the Uniform Guidance. Prior Year Audit Finding 2022-002 Recommendation Data collection form and single audit package shall be submitted within the required due dates. Questioned Costs None Management’s Response Refer to Grantee’s Corrective Action Plan
Finding 2023-002
Criteria Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal, Part 200.512, Report Submission, (a) General, (1) states that the audit must be completed, and the data collection form and reporting package must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. Condition The Data Collection Form and Single Audit reporting package were not submitted within nine (9) months after the end of the audit period. Cause The Administration experienced the aftermath of the Coronavirus Pandemic as it relates to maintaining up to date its accounting records. Effect Data collection form and single audit reports were not submitted in a timely manner as required by the Uniform Guidance. Prior Year Audit Finding 2022-002 Recommendation Data collection form and single audit package shall be submitted within the required due dates. Questioned Costs None Management’s Response Refer to Grantee’s Corrective Action Plan